/etc/ntp.conf 'pool' vs 'server' in 15.0 and Current
by lazardo from LinuxQuestions.org on (#6HZ67)
In updating a gateway router running dd-wrt from DNS -> SmartDNS/DoT there is a time synchronization requirement, eg, if system clock is too far off it breaks.
This led to looking at formal NTP security models, all of which were rejected as too much effort and/or too few public NTS servers. Ended up using more servers given ntp will manage discrepencies and the impact of getting a rogue is less.
In 15.0, /etc/ntp.conf uses 'server 0.pool.ntp.org iburst' which does a one-shot DNS for each of the given servers, however, if the resolved server goes septic it is dropped but not replaced. After stablization:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 1319 64 0 0.000 +0.000 0.000
-198.30.92.2 130.207.244.240 2 u 30 64 377 75.362 +1.088 0.360
+134.215.155.177 216.239.35.0 2 u 4 64 377 76.406 +0.100 2.116
+204.2.134.162 44.24.199.34 3 u 2 64 177 25.089 -0.027 4.707
*44.190.5.123 17.253.4.125 2 u 10 64 377 25.810 +0.126 0.403In Current, /etc/ntp.conf uses 'pool 0.pool.ntp.org iburst' which will replace a septic server, so I changed 'server' to 'pool', and after 15 minutes, zero synchronization and zero error messages:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 55 64 377 0.000 +0.000 0.000
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000After removing 'nopeer' from the 'restrict' options, it worked:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 302 64 20 0.000 +0.000 0.000
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
*155.248.196.28 135.45.28.167 2 u 23 64 37 24.452 -0.981 1.553
-45.33.103.94 192.126.175.149 3 u 33 64 37 70.621 +0.744 0.887
-198.30.92.2 130.207.244.240 2 u 34 64 37 75.418 +1.169 0.696
#168.61.215.74 25.66.230.3 3 u 27 64 37 83.765 +5.402 1.037
-71.162.136.44 208.90.144.53 3 u 33 64 37 88.947 +0.347 0.541
+207.244.103.95 129.6.15.28 2 u 22 64 37 89.815 +2.052 1.760
-44.190.5.123 17.253.4.125 2 u 26 64 37 25.312 -0.185 0.768
-44.190.40.123 66.220.9.122 2 u 32 64 37 23.472 +1.784 0.845
+66.205.249.28 204.9.54.119 2 u 19 64 37 80.349 +3.180 1.006
-168.235.89.132 129.6.15.30 2 u 19 64 37 87.500 -6.407 1.689
-96.245.170.99 129.6.15.30 2 u 29 64 37 90.598 -1.032 0.648
#45.55.58.103 69.89.207.199 2 u 27 64 37 97.964 -2.124 12.000
#108.61.23.93 108.61.73.243 3 u 23 64 37 95.238 +3.587 0.733
204.2.134.162 44.24.199.34 3 u 19 64 17 25.441 -0.476 1.205
#152.70.159.102 132.163.97.4 2 u 19 64 37 39.545 +0.266 5.333Interesting that both 15.0 and Current use the same ntp version and ntp.conf, including having 'nopeer' in restrictions, yet no one has posted that this is a problem in Current.
This led to looking at formal NTP security models, all of which were rejected as too much effort and/or too few public NTS servers. Ended up using more servers given ntp will manage discrepencies and the impact of getting a rogue is less.
In 15.0, /etc/ntp.conf uses 'server 0.pool.ntp.org iburst' which does a one-shot DNS for each of the given servers, however, if the resolved server goes septic it is dropped but not replaced. After stablization:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 1319 64 0 0.000 +0.000 0.000
-198.30.92.2 130.207.244.240 2 u 30 64 377 75.362 +1.088 0.360
+134.215.155.177 216.239.35.0 2 u 4 64 377 76.406 +0.100 2.116
+204.2.134.162 44.24.199.34 3 u 2 64 177 25.089 -0.027 4.707
*44.190.5.123 17.253.4.125 2 u 10 64 377 25.810 +0.126 0.403In Current, /etc/ntp.conf uses 'pool 0.pool.ntp.org iburst' which will replace a septic server, so I changed 'server' to 'pool', and after 15 minutes, zero synchronization and zero error messages:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 55 64 377 0.000 +0.000 0.000
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000After removing 'nopeer' from the 'restrict' options, it worked:Code:$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 302 64 20 0.000 +0.000 0.000
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
*155.248.196.28 135.45.28.167 2 u 23 64 37 24.452 -0.981 1.553
-45.33.103.94 192.126.175.149 3 u 33 64 37 70.621 +0.744 0.887
-198.30.92.2 130.207.244.240 2 u 34 64 37 75.418 +1.169 0.696
#168.61.215.74 25.66.230.3 3 u 27 64 37 83.765 +5.402 1.037
-71.162.136.44 208.90.144.53 3 u 33 64 37 88.947 +0.347 0.541
+207.244.103.95 129.6.15.28 2 u 22 64 37 89.815 +2.052 1.760
-44.190.5.123 17.253.4.125 2 u 26 64 37 25.312 -0.185 0.768
-44.190.40.123 66.220.9.122 2 u 32 64 37 23.472 +1.784 0.845
+66.205.249.28 204.9.54.119 2 u 19 64 37 80.349 +3.180 1.006
-168.235.89.132 129.6.15.30 2 u 19 64 37 87.500 -6.407 1.689
-96.245.170.99 129.6.15.30 2 u 29 64 37 90.598 -1.032 0.648
#45.55.58.103 69.89.207.199 2 u 27 64 37 97.964 -2.124 12.000
#108.61.23.93 108.61.73.243 3 u 23 64 37 95.238 +3.587 0.733
204.2.134.162 44.24.199.34 3 u 19 64 17 25.441 -0.476 1.205
#152.70.159.102 132.163.97.4 2 u 19 64 37 39.545 +0.266 5.333Interesting that both 15.0 and Current use the same ntp version and ntp.conf, including having 'nopeer' in restrictions, yet no one has posted that this is a problem in Current.