On 2016-12-30 16:32, Ask Bjørn Hansen wrote: > On Tuesday, September 6, 2016 at 1:41:10 AM UTC-7, Miroslav Lichvar wrote: >> On 2016-09-05, a...@ntppool.org <a...@ntppool.org> wrote: >>> My draft has the following as the recommendation for someone using the >>> pool (on 4.2.8 or later): >>> driftfile /var/lib/ntp/ntp.drift >>> restrict default kod nomodify notrap nopeer noquery >>> restrict -6 default kod nomodify notrap nopeer noquery >> I think this line shouldn't be necessary as restrict default specified >> without -4 and -6 should apply to both. > Ok, thank you. Is that the case for older versions of ntpd, too? > There's obviously a bit of cargo cult going on here, I appreciate the > help getting to an actual best practices recommendation. :-/ > For Martin's comment about kod and limited: > I'm not sure if 'limited' works on a reasonably busy NTP server > (hundreds to a few thousand queries a second) and I don't think > anyone has shown that KoD packets does something useful for a > meaningful number of the "bad clients", so I should probably just > take 'kod' out.
Works with typical bad clients but most ignore KoD packets anyway so just avoid the MRU list overhead and sending KoD - see http://doc.ntp.org/current-stable/rate.html for how it works. >>> restrict source notrap nomodify noquery restrict source added with pool in 4.2.7p22 2010/04/02, docs updated in 4.2.7p24 2010/04/13. >>> restrict 127.0.0.1 >>> restrict -6 ::1 >>> >>> pool 0.pool.ntp.org Add preempt to pool statements to drop unselected servers and acquire new servers to maintain a majority clique - see below. >> How many servers should the client use at the same time? The >> default value of tos maxclock is 10, so it would use 10 servers. >> That seems a bit excessive. If it should be equivalent to the >> current recommendation, the config would need to include >> >> tos maxclock 4 Keep it odd - tos maxclock 5 - for sync, majority clique requires truechimers *>* falsetickers - truechimers == falsetickers is *unsynced* - 5 allows 2 servers "off" in some way at the same time (e.g. during weekend maintenance windows when servers often drop out - YMMV) see http://doc.ntp.org/current-stable/select.html . >> Also, how about adding the iburst option? Considering that a >> significant part of NTP traffic is from ntpdate (which sends four >> packets in 2s interval) and that most Linux distributions seem to >> use iburst in their default ntp.conf, I think it could be >> recommended to everyone. > > Hmm, I could get convinced of that. Also add iburst to pool statements. And only use minpoll and/or maxpoll on local ref clocks. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions