From: Pekka Helenius Date: Sun, 02 Aug 2020 14:12:40 +0300 Subject: Update default configuration file --- a/ntpd.conf 2020-07-31 23:00:50.000000000 +0300 +++ b/ntpd.conf 2020-08-02 02:30:41.706954890 +0300 @@ -1,11 +1,330 @@ -# $OpenBSD: ntpd.conf,v 1.16 2019/11/06 19:04:12 deraadt Exp $ -# # See ntpd.conf(5) and /etc/examples/ntpd.conf +# BASIC KEYWORDS + +# listen on 127.0.0.1 port 123 + servers pool.ntp.org -server time.cloudflare.com -sensor * +server time.cloudflare.com +sensor * -constraint from "9.9.9.9" # quad9 v4 without DNS -constraint from "2620:fe::fe" # quad9 v6 without DNS +constraint from "9.9.9.9" # quad9 v4 without DNS +constraint from "2620:fe::fe" # quad9 v6 without DNS constraints from "www.google.com" # intentionally not 8.8.8.8 + +constraints from "https://www.duckduckgo.com" port 443 + +# ADVANCED KEYWORDS + +# During OpenNTPD initialization, all NTP peers get +# automatic time offset value, if pre-conditions for +# automatic interval adjustment are being met. +# The conditions are as follows: OpenNTPD configuration +# has constraints, trusted NTP peers or trusted sensors +# and current internally defined process security level +# is 0. In this case, initial time offset value is set +# to 1 which, in return, triggers automatic offset calculation. +# +# In the automatic offset calculation, a trusted NTP +# peer offset values are being counted for each peer. +# For each peer an independent pool size is determined +# by auto_replies value, ignoring the last value. +# For instance, with auto_replies value 4, first +# 3 NTP peer offset values are considered for a single +# NTP peer, and a median offset value of these collected +# 3 offset values is calculated and used for time adjustment. +# +# auto_replies 4 + +# In OpenNTPD initial automatic time offset calculation, +# three conditions are being considered for NTP peers: +# is a NTP peer trusted and current overall constraint-based +# median offset not 0, and whether an initial NTP peer +# time offset exceeds value of auto_threshold . If these +# conditions are met, then auto_threshold value may be +# considered. If NTP peer current time offset value is +# less than auto_threshold , then the system time offset +# value is considered to be already OK, and OpenNTPD stops +# calculating automatic offset value from further NTP peer +# queries. In this case, median offset value is not calculated. +# +# auto_threshold 60 + +# In automatic NTP peer offset calculation mode (during OpenNTPD +# initialization), if NTP peer IP address is still unresolved +# (unknown), the next query is attempted in interval_auto_dnsfail +# seconds. Applies to unresolved constraint IP addresses, as well. +# +# interval_auto_dnsfail 1 + +# Maximum number of attempts to resolve a constraint IP address(es) +# with a DNS query before falling back from constraint_retry_interval +# to interval_auto_dnsfail in constraint initialization. +# +# tries_auto_dnsfail 4 + +# PEM-formatted certificate bundle file +# for constraint HTTPS connections. +# +# constraint_ca /etc/ssl/cert.pem + +# Whether to validate constraint HTTPS +# server certificate. +# +# constraint_ca_validation true + +# Use either LibreSSL (libressl) or OpenSSL (openssl) +# for constraint HTTPS server connections. To +# support chosen TLS engine, ntpd(8) must be +# compiled and run with proper libraries installed +# on the system. Only LibreSSL and OpenSSL are +# supported. +# +# constraint_engine libressl + +# Accepted number of errors during constraint +# process. If error count exceeds this value +# multiplied by calculated peer count, +# constraint connection will be reseted and +# a new constraint is retrieved. +# +# constraint_error_margin 4 + +# Acceptable time difference between retrieved +# HTTP header time value and calculated time +# value in seconds. HTTP header time values +# exceeding this margin value will be ignored. +# +# constraint_margin 120 + +# Maximum allowed HTTP header length of constraint +# HTTPS server reply to be fetched in bytes. If +# the value is exceeded during processing, nothing +# is returned and constraint check fails. +# +# constraint_max_headerlength 8192 + +# Constraint HTTPS servers scan interval in seconds. +# +# constraint_scan_interval 900 + +# Maximum connection establishment time to a +# constraint HTTPS server in seconds. +# +# constraint_scan_timeout 10 + +# ntpd(8) socket file path. +# +# ctlsocket /var/run/ntpd.sock + +# ntpd(8) drift file path. +# +# driftfile /var/db/ntpd.drift + +# Whether to reset frequency filters after +# frequency adjustment. +# +# filter_adjfreq true + +# Number of frequency samples for estimating +# permanent drift value. +# +# frequency_samples 8 + +# Initial trust level for a new, timed out or +# erroneous remote NTP server. Every received +# and non-discarded reply increases trust for +# the server. The trust level is used for +# setting used interval_query_* value for the +# server and keeping track of valid remote NTP +# servers. +# +# A server having this trust level uses remote +# NTP query interval value interval_query_aggressive . +# +# trustlevel_pathetic 2 + +# If a replying remote NTP server has trust level +# one number less than this value, the server gets +# trusted. In this case, the server can achieve +# maximum trust level trustlevel_max . This trust +# level is preceded by trust level trustlevel_pathetic +# and followed by trust level trustlevel_aggressive . +# +# A NTP server having trust level value trustlevel_badpeer , +# or value greater than trustlevel_pathetic but less than +# trustlevel_aggressive uses remote NTP query interval +# value interval_query_aggressive . +# +# In a case of NTP server reply time out, if the server +# has at least trust level value trustlevel_badpeer +# and the trust level value divided by 2 is less than +# the trustlevel_badpeer value, the server will be +# invalidated and falls back to initial trust level +# trustlevel_pathetic . +# +# trustlevel_badpeer 6 + +# Aggressive trust level is preceded by trust level +# trustlevel_badpeer and followed by trust level +# trustlevel_max . If a remote NTP server current trust +# level is at least value of trustlevel_pathetic but +# less than this value, used remote NTP query interval +# is determined by value interval_query_aggressive . +# A server with exact trust level trustlevel_aggressive +# uses query interval interval_query_normal +# (see trustlevel_max below). +# +# trustlevel_aggressive 8 + +# Maximum trust level follows trust level trustlevel_aggressive . +# This is the maximum trust level which a remote NTP +# server can achieve. A server having at least trust +# level trustlevel_aggressive uses remote NTP query +# interval value interval_query_normal . +# +# trustlevel_max 10 + +# Remote NTP server query interval in seconds for servers with +# a trust level value greater than trustlevel_pathetic but less +# than trustlevel_aggressive in a case where a NTP peer does not +# still have large enough pool of already queried offset time values +# for its offset time median calculation (checked against value +# auto replies ) or is not trusted , interval value +# interval_query_ultra_violence may be triggered. +# Applies only to NTP offset calculation automatic mode. +# +# In most cases, interval_query_aggressive is used instead. +# Dynamic offset scale value factors qscale_off_min and qscale_off_max +# are ignored. +# +# interval_query_ultra_violence 1 + +# Remote NTP server query interval in seconds for +# servers with a trust level value less than trustlevel_pathetic . +# Practically never used. +# +# This value is not the final query interval value but +# used in a combination with a dynamic offset scale value, +# determined by qscale_off_min and qscale_off_max . +# +# trustlevel_query_pathetic 60 + +# Remote NTP server query interval in seconds for servers +# with a trust level value greater than trustlevel_pathetic +# but less than trustlevel_aggressive . Since all servers +# start with a value trustlevel_pathetic , it means that +# this is the initial value used for all new, timed out +# or erroneous NTP servers. +# +# This value is not the final query interval value but +# used in a combination with a dynamic offset scale value, +# determined by qscale_off_min and qscale_off_max . +# +# trustlevel_query_aggressive 5 + +# Remote NTP server query interval in seconds for servers +# with a trust level value between trustlevel_aggressive +# and trustlevel_max . +# +# This value is not the final query interval value but +# used in a combination with a dynamic offset scale value, +# determined by qscale_off_min and qscale_off_max . +# +# trustlevel_query_normal 30 + +# Retry time in seconds after failed connection attempt +# to a remote NTP server. +# +# interval_query_timeout 300 + +# Negligible frequency rate to not log in PPM. +# +# log_negligible_adjfreq 0.05 + +# Negligible drift time to not log in milliseconds. +# +# log_negligible_adjtime 32 + +# Maximum number of characters in a ntpctl(8) +# report line (peers, status, sensors and all). +# +# max_display_width 80 + +# Maximum allowed frequency correction per iteration. +# +# max_frequency_adjust 0.0128 + +# Maximum number of errors tolerated before reconnecting +# to a remote NTP server. +# +# max_send_errors 3 + +# Maximum number of remote NTP server IP addresses +# fetched per DNS query. +# +# max_servers_dns 8 + +# ntpd(8) process user name. Group name and working +# directory are internally fetched by getpwnam(3) . +# +# ntpd_user ntp + +# Minimum scale value used for dynamically adjusting +# NTP server query interval time. If median NTP server +# & sensor offset value is lower than this value, then +# this value is used for scale calculation as minimum value. +# Otherwise, the offset value is used as minimum value. +# The offset value is a combined median value, based on +# all NTP server & sensor offset values. +# +# The determined frequency scale is +# qscale_off_max / { qscale_off_min OR median offset } . +# +# In the end, the calculated scale value is multiplied +# one of interval_query_* values (pathetic, aggressive, normal) +# on a client side, and ultimately used for dynamic +# adjustment of client-side NTP server query interval time +# for ntpd(8) process. +# +# qscale_off_min 0.001 + +# Maximum scale value used for dynamically adjusting +# NTP server query interval time. This value is used +# either with a median NTP server & sensor offset value, +# described in qscale_off_min section, or directly with +# the value of qscale_off_min . The more detailed description +# about further use of this value is above and +# in interval_query_* sections. +# +# qscale_off_max 0.050 + +# Maximum time reserved for a single NTP server query +# in seconds. +# +# querytime_max 15 + +# Sensor data maximum valid age in seconds. +# +# sensor_data_maxage 900 + +# Sensor default reference ID string. +# +# sensor_default_refid "HARD" + +# Maximum allowed sensor time offset in seconds. +# +# sensor_offsets 6 + +# Sensor query interval in seconds. +# +# sensor_query_interval 15 + +# Scan interval for new sensors in seconds. +# +# sensor_scan_interval 60 + +# Maximum time to wait for a constraint to reply +# during OpenNTPD initial automatic mode. +# +# settime_timeout 100