NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.
ntp-4.2.8p15
was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
See OrphanModeDev for discussion of this topic.
6.2. Orphan mode
Orphan Mode is the
stated replacement for the
UndisciplinedLocalClock. It was added to ntp-4.2.2.
Orphan Mode allows a group of ntpds to automonously select a leader in the event that all real time sources become unreachable (i.e. are inaccessible).
Orphan Mode is enabled by adding the line
tos orphan N
anywhere in
ntp.conf
. The
N
specifies the stratum at which this ntpd will switch to Orphan Mode. For example, an ntpd using
tos orphan 6
will not switch to Orphan Mode as long as a time source of strata 1 through 5 is reachable.
In addition to the
tos orphan
line all members of the Orphan Mode group must be configured in a
mesh (i.e. they must all be clients / peers of each other). Any NTP association mode may be used to set up this mesh.
NTP versions prior to 4.2.4p5 and 4.2.5p101 will not start up properly in Orphan Mode unless at least one time source is configured in
ntp.conf
. If no time sources are specified the
refid
stays at
.INIT.
and the
rootdispersion
continually increases. This makes these versions unsuitable for use as stand alone Orphan Mode servers in a time island.
NTP versions after, and including, 4.2.5p101 will start up correctly in pure Orphan Mode.
6.2.1. Configuration
Related Topics: Distribution Documentation: Orphan Mode,
UndisciplinedLocalClock