r6 - 2014-07-30 - 22:32:20 - HarlanStennYou are here: NTP >  Support Web > ConfiguringNTP > LocalRefclocks > UndisciplinedLocalClock
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p10 was released on 21 March 2017. It addresses 6 medium- and 5 low-severity security issues, 4 informational security topics, 15 bugfixes, and contains other improvements over 4.2.8p9.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Undisciplined Local Clock

IDEA! The Undisciplined Local Clock should generally no longer be used.

It was originally designed to be used when an ntpd must be able to serve time to others even when no real time sources are reachable. Please see the Distribution Documentation for information about other applications for the Undisciplined Local Clock.

Users of ntp-4.2.2 and later should consider OrphanMode as a means of keeping an isolated group of servers synchronized.

ALERT! The Undisciplined Local Clock is not a back-up for leaf-node (i.e. client only) ntpd instance.

It important that time servers using the Undisciplined Local Clock are not considered as authoritative sources of time by systems on the public Internet. Although the default stratum for the Undisciplined Local Clock is 5, in cases where an ntpd may become accessible outside of your immediate, controlled, network is it strongly suggested the the stratum of the Undisciplined Local Clock be raised to no less than 10.

Configuration

The configuration examples shown here are to be added to ntp.conf in addition to the other configuration directives (e.g. driftfile, statistics, logging, crypto, restrictions, servers, etc.).

There is no required order for these configuration directives.

Single Time Server

server 127.127.1.0
fudge  127.127.1.0 stratum 10

Dual Time Servers

Choose the two systems with the most stable clocks from your group of servers. They should not be virtual machines and they should not be heavily loaded systems. In fact, an old Pentium-1 system dedicated as a time server is often your best choice.

These systems will be configured with the Undisciplined Local Clock with staggered strata (two levels apart). The lowest stratum to use for your primary backup time server should be at least 2 higher than where this ntpd would normally run. If these time servers are publically accessible please use a higher stratum for the Undisciplined Local Clock in your primary back-up server.

Primary back-up server

# We are normally synced to a stratum-2 remote time server
server 127.127.1.0
fudge  127.127.1.0 stratum 5

Secondary back-up server

# Our primary back-up server will operate at stratum 6
server 127.127.1.0
fudge  127.127.1.0 stratum 7

Related Topics: Distribution Documentation: Undisciplined Local Clock, OrphanMode

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r6 < r5 < r4 < r3 < r2 | More topic actions
Support.UndisciplinedLocalClock moved from Support.ConfiguringLocalRefclocks on 2006-07-27 - 21:13 by SteveKostecke - put it back
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback