From owner-freebsd-net@FreeBSD.ORG  Fri Jun  5 23:44:22 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B05B11065675;
	Fri,  5 Jun 2009 23:44:22 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: from k7.mavetju.org (ppp113-58.static.internode.on.net
	[150.101.113.58])
	by mx1.freebsd.org (Postfix) with ESMTP id 5C17B8FC19;
	Fri,  5 Jun 2009 23:44:22 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id 17032450AA; Sat,  6 Jun 2009 09:42:42 +1000 (EST)
Date: Sat, 6 Jun 2009 09:42:42 +1000
From: Edwin Groothuis <edwin@mavetju.org>
To: "Sean C. Farley" <scf@FreeBSD.org>
Message-ID: <20090605234242.GA3235@mavetju.org>
References: <20090605124428.GA85576@mavetju.org>
	<alpine.BSF.2.00.0906050846160.6209@thor.farley.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.00.0906050846160.6209@thor.farley.org>
User-Agent: Mutt/1.4.2.3i
Cc: Ollivier Robert <roberto@FreeBSD.org>, freebsd-net@FreeBSD.org
Subject: Re: NTP - default /etc/ntp.conf
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2009 23:44:22 -0000

First thanks to everybody who replied, I've read it all.

The ntpd.conf in the etc/Makefile was a typo of me.

On Fri, Jun 05, 2009 at 08:52:01AM -0500, Sean C. Farley wrote:
> On Fri, 5 Jun 2009, Edwin Groothuis wrote:
> 
> >After pondering at conf/58595, I came with this text.
> >
> >The ntpd is not enabled by default, so the fact that the servers
> >are commented out should not be an issue.
> >
> >Any objections against adding it to the tree?
> 
> I like it.
> 
> I would also add restrict lines to it since ntp defaults to being open 
> to all packets.
> 
> These would ignore everything except the pools (restricted) and 
> localhost (open):
> restrict default ignore
> restrict pool.ntp.org nomodify nopeer noquery notrap
> restrict pool.ntp.org nomodify nopeer noquery notrap
> restrict 127.0.0.1
> restrict -6 ::1

I'm a little bit worried about the functionality of this in combination
with the round-robin DNS approach of pool.ntp.org:

I have "server 0.pool.ntp.org" in my NTP configuration, which still
only gives me one NTP server in its internals ("dig 0.pool.ntp.org"
gives me five answers, "ntpq -p" gives me one server). Having the
"server 0.pool.ntp.org" in my configuration twice will give it two
NTP servers in its internals. So every hostname gives a different
NTP server IP address.

Now we end up at the restrictions, where it resolves 0.pool.ntp.org
again to a different IP address than the previous two, making it
not willing to accept any traffic from the earlier two hosts in the
server statements.


I don't know yet how to overcome this, except for not adding the
restrict statements when using the pool.ntp.org servers :-/
Suggestions are welcome.

Edwin

-- 
Edwin Groothuis		Website: http://www.mavetju.org/
edwin@mavetju.org	Weblog:  http://www.mavetju.org/weblog/