|
From: Pekka Helenius <fincer89@hotmail.com>
|
|
Date: Tue, 04 Aug 2020 01:52:17 +0300
|
|
Subject: Update default configuration file
|
|
|
|
|
|
--- a/ntpd.conf 2020-07-31 23:00:50.000000000 +0300
|
|
+++ b/ntpd.conf 2020-08-03 23:19:18.951338773 +0300
|
|
@@ -1,11 +1,321 @@
|
|
-# $OpenBSD: ntpd.conf,v 1.16 2019/11/06 19:04:12 deraadt Exp $
|
|
-#
|
|
# See ntpd.conf(5) and /etc/examples/ntpd.conf
|
|
|
|
+# BASIC KEYWORDS
|
|
+
|
|
+# listen on 127.0.0.1 port 123
|
|
+
|
|
servers pool.ntp.org
|
|
-server time.cloudflare.com
|
|
-sensor *
|
|
+server time.cloudflare.com
|
|
+sensor *
|
|
|
|
-constraint from "9.9.9.9" # quad9 v4 without DNS
|
|
-constraint from "2620:fe::fe" # quad9 v6 without DNS
|
|
+constraint from "9.9.9.9" # quad9 v4 without DNS
|
|
+constraint from "2620:fe::fe" # quad9 v6 without DNS
|
|
constraints from "www.google.com" # intentionally not 8.8.8.8
|
|
+
|
|
+constraints from "https://www.duckduckgo.com" port 443
|
|
+
|
|
+# ADVANCED KEYWORDS
|
|
+
|
|
+# During OpenNTPD initialization, all NTP peers get
|
|
+# automatic time offset value, if pre-conditions for
|
|
+# automatic interval adjustment are being met.
|
|
+# The conditions are as follows: OpenNTPD configuration
|
|
+# has constraints, trusted NTP peers or trusted sensors
|
|
+# and current internally defined process security level
|
|
+# is 0. In this case, initial time offset value is set
|
|
+# to 1 which, in return, triggers automatic offset calculation.
|
|
+#
|
|
+# In the automatic offset calculation, a trusted NTP
|
|
+# peer offset values are being counted for each peer.
|
|
+# For each peer an independent pool size is determined
|
|
+# by auto_replies value, ignoring the last value.
|
|
+# For instance, with auto_replies value 4, first
|
|
+# 3 NTP peer offset values are considered for a single
|
|
+# NTP peer, and a median offset value of these collected
|
|
+# 3 offset values is calculated and used for time adjustment.
|
|
+#
|
|
+# auto_replies 4
|
|
+
|
|
+# In OpenNTPD initial automatic time offset calculation,
|
|
+# three conditions are being considered for NTP peers:
|
|
+# is a NTP peer trusted and current overall constraint-based
|
|
+# median offset not 0, and whether an initial NTP peer
|
|
+# time offset exceeds value of auto_threshold . If these
|
|
+# conditions are met, then auto_threshold value may be
|
|
+# considered. If NTP peer current time offset value is
|
|
+# less than auto_threshold , then the system time offset
|
|
+# value is considered to be already OK, and OpenNTPD stops
|
|
+# calculating automatic offset value from further NTP peer
|
|
+# queries. In this case, median offset value is not calculated.
|
|
+#
|
|
+# auto_threshold 60
|
|
+
|
|
+# In automatic NTP peer offset calculation mode (during OpenNTPD
|
|
+# initialization), if NTP peer IP address is still unresolved
|
|
+# (unknown), the next query is attempted in interval_auto_dnsfail
|
|
+# seconds. Applies to unresolved constraint IP addresses, as well.
|
|
+#
|
|
+# interval_auto_dnsfail 1
|
|
+
|
|
+# Maximum number of attempts to resolve a constraint IP address(es)
|
|
+# with a DNS query before falling back from constraint_retry_interval
|
|
+# to interval_auto_dnsfail in constraint initialization.
|
|
+#
|
|
+# tries_auto_dnsfail 4
|
|
+
|
|
+# PEM-formatted certificate bundle file
|
|
+# for constraint HTTPS connections.
|
|
+#
|
|
+# constraint_ca /etc/ssl/cert.pem
|
|
+
|
|
+# Whether to validate constraint HTTPS
|
|
+# server certificate.
|
|
+#
|
|
+# constraint_ca_validation true
|
|
+
|
|
+# Use either LibreSSL (libressl) or OpenSSL (openssl)
|
|
+# for constraint HTTPS server connections. To
|
|
+# support chosen TLS engine, ntpd(8) must be
|
|
+# compiled and run with proper libraries installed
|
|
+# on the system. Only LibreSSL and OpenSSL are
|
|
+# supported.
|
|
+#
|
|
+# constraint_engine libressl
|
|
+
|
|
+# Accepted number of errors during constraint
|
|
+# process. If error count exceeds this value
|
|
+# multiplied by calculated peer count,
|
|
+# constraint connection will be reseted and
|
|
+# a new constraint is retrieved.
|
|
+#
|
|
+# constraint_error_margin 4
|
|
+
|
|
+# Acceptable time difference between retrieved
|
|
+# HTTP header time value and calculated time
|
|
+# value in seconds. HTTP header time values
|
|
+# exceeding this margin value will be ignored.
|
|
+#
|
|
+# constraint_margin 120
|
|
+
|
|
+# Maximum allowed HTTP header length of constraint
|
|
+# HTTPS server reply to be fetched in bytes. If
|
|
+# the value is exceeded during processing, nothing
|
|
+# is returned and constraint check fails.
|
|
+#
|
|
+# constraint_max_headerlength 8192
|
|
+
|
|
+# Constraint HTTPS servers scan interval in seconds.
|
|
+#
|
|
+# constraint_scan_interval 900
|
|
+
|
|
+# Maximum connection establishment time to a
|
|
+# constraint HTTPS server in seconds.
|
|
+#
|
|
+# constraint_scan_timeout 10
|
|
+
|
|
+# ntpd(8) socket file path.
|
|
+#
|
|
+# ctlsocket /var/run/ntpd.sock
|
|
+
|
|
+# ntpd(8) drift file path.
|
|
+#
|
|
+# driftfile /var/db/ntpd.drift
|
|
+
|
|
+# Whether to reset frequency filters after
|
|
+# frequency adjustment.
|
|
+#
|
|
+# filter_adjfreq true
|
|
+
|
|
+# Number of frequency samples for estimating
|
|
+# permanent drift value.
|
|
+#
|
|
+# frequency_samples 8
|
|
+
|
|
+# Initial trust level for a new, timed out or
|
|
+# erroneous remote NTP server. Every received
|
|
+# and non-discarded reply increases trust for
|
|
+# the server. The trust level is used for
|
|
+# setting used interval_query_* value for the
|
|
+# server and keeping track of valid remote NTP
|
|
+# servers.
|
|
+#
|
|
+# A server having this trust level uses remote
|
|
+# NTP query interval value interval_query_aggressive .
|
|
+#
|
|
+# trustlevel_pathetic 2
|
|
+
|
|
+# If a replying remote NTP server has trust level
|
|
+# one number less than this value, the server gets
|
|
+# trusted. In this case, the server can achieve
|
|
+# maximum trust level trustlevel_max . This trust
|
|
+# level is preceded by trust level trustlevel_pathetic
|
|
+# and followed by trust level trustlevel_aggressive .
|
|
+#
|
|
+# A NTP server having trust level value trustlevel_badpeer ,
|
|
+# or value greater than trustlevel_pathetic but less than
|
|
+# trustlevel_aggressive uses remote NTP query interval
|
|
+# value interval_query_aggressive .
|
|
+#
|
|
+# In a case of NTP server reply time out, if the server
|
|
+# has at least trust level value trustlevel_badpeer
|
|
+# and the trust level value divided by 2 is less than
|
|
+# the trustlevel_badpeer value, the server will be
|
|
+# invalidated and falls back to initial trust level
|
|
+# trustlevel_pathetic .
|
|
+#
|
|
+# trustlevel_badpeer 6
|
|
+
|
|
+# Aggressive trust level is preceded by trust level
|
|
+# trustlevel_badpeer and followed by trust level
|
|
+# trustlevel_max . If a remote NTP server current trust
|
|
+# level is at least value of trustlevel_pathetic but
|
|
+# less than this value, used remote NTP query interval
|
|
+# is determined by value interval_query_aggressive .
|
|
+# A server with exact trust level trustlevel_aggressive
|
|
+# uses query interval interval_query_normal
|
|
+# (see trustlevel_max below).
|
|
+#
|
|
+# trustlevel_aggressive 8
|
|
+
|
|
+# Maximum trust level follows trust level trustlevel_aggressive .
|
|
+# This is the maximum trust level which a remote NTP
|
|
+# server can achieve. A server having at least trust
|
|
+# level trustlevel_aggressive uses remote NTP query
|
|
+# interval value interval_query_normal .
|
|
+#
|
|
+# trustlevel_max 10
|
|
+
|
|
+# Remote NTP server query interval in seconds for servers with
|
|
+# a trust level value greater than trustlevel_pathetic but less
|
|
+# than trustlevel_aggressive in a case where a NTP peer does not
|
|
+# still have large enough pool of already queried offset time values
|
|
+# for its offset time median calculation (checked against value
|
|
+# auto replies ) or is not trusted , interval value
|
|
+# interval_query_ultra_violence may be triggered.
|
|
+# Applies only to NTP offset calculation automatic mode.
|
|
+#
|
|
+# In most cases, interval_query_aggressive is used instead.
|
|
+# Dynamic offset scale value factors qscale_off_min and qscale_off_max
|
|
+# are ignored.
|
|
+#
|
|
+# interval_query_ultra_violence 1
|
|
+
|
|
+# Remote NTP server query interval in seconds for
|
|
+# servers with a trust level value less than trustlevel_pathetic .
|
|
+# Practically never used.
|
|
+#
|
|
+# This value is not the final query interval value but
|
|
+# used in a combination with a dynamic offset scale value,
|
|
+# determined by qscale_off_min and qscale_off_max .
|
|
+#
|
|
+# trustlevel_query_pathetic 60
|
|
+
|
|
+# Remote NTP server query interval in seconds for servers
|
|
+# with a trust level value greater than trustlevel_pathetic
|
|
+# but less than trustlevel_aggressive . Since all servers
|
|
+# start with a value trustlevel_pathetic , it means that
|
|
+# this is the initial value used for all new, timed out
|
|
+# or erroneous NTP servers.
|
|
+#
|
|
+# This value is not the final query interval value but
|
|
+# used in a combination with a dynamic offset scale value,
|
|
+# determined by qscale_off_min and qscale_off_max .
|
|
+#
|
|
+# trustlevel_query_aggressive 5
|
|
+
|
|
+# Remote NTP server query interval in seconds for servers
|
|
+# with a trust level value between trustlevel_aggressive
|
|
+# and trustlevel_max .
|
|
+#
|
|
+# This value is not the final query interval value but
|
|
+# used in a combination with a dynamic offset scale value,
|
|
+# determined by qscale_off_min and qscale_off_max .
|
|
+#
|
|
+# trustlevel_query_normal 30
|
|
+
|
|
+# Retry time in seconds after failed connection attempt
|
|
+# to a remote NTP server.
|
|
+#
|
|
+# interval_query_timeout 300
|
|
+
|
|
+# Negligible frequency rate to not log in PPM.
|
|
+#
|
|
+# log_negligible_adjfreq 0.05
|
|
+
|
|
+# Negligible drift time to not log in milliseconds.
|
|
+#
|
|
+# log_negligible_adjtime 32
|
|
+
|
|
+# Maximum allowed frequency correction per iteration.
|
|
+#
|
|
+# max_frequency_adjust 0.0128
|
|
+
|
|
+# Maximum number of errors tolerated before reconnecting
|
|
+# to a remote NTP server.
|
|
+#
|
|
+# max_send_errors 3
|
|
+
|
|
+# Maximum number of remote NTP server IP addresses
|
|
+# fetched per DNS query.
|
|
+#
|
|
+# max_servers_dns 8
|
|
+
|
|
+# ntpd(8) process user name. Group name and working
|
|
+# directory are internally fetched by getpwnam(3) .
|
|
+#
|
|
+# ntpd_user ntp
|
|
+
|
|
+# Minimum scale value used for dynamically adjusting
|
|
+# NTP server query interval time. If median NTP server
|
|
+# & sensor offset value is lower than this value, then
|
|
+# this value is used for scale calculation as minimum value.
|
|
+# Otherwise, the offset value is used as minimum value.
|
|
+# The offset value is a combined median value, based on
|
|
+# all NTP server & sensor offset values.
|
|
+#
|
|
+# The determined frequency scale is
|
|
+# qscale_off_max / { qscale_off_min OR median offset } .
|
|
+#
|
|
+# In the end, the calculated scale value is multiplied
|
|
+# one of interval_query_* values (pathetic, aggressive, normal)
|
|
+# on a client side, and ultimately used for dynamic
|
|
+# adjustment of client-side NTP server query interval time
|
|
+# for ntpd(8) process.
|
|
+#
|
|
+# qscale_off_min 0.001
|
|
+
|
|
+# Maximum scale value used for dynamically adjusting
|
|
+# NTP server query interval time. This value is used
|
|
+# either with a median NTP server & sensor offset value,
|
|
+# described in qscale_off_min section, or directly with
|
|
+# the value of qscale_off_min . The more detailed description
|
|
+# about further use of this value is above and
|
|
+# in interval_query_* sections.
|
|
+#
|
|
+# qscale_off_max 0.050
|
|
+
|
|
+# Maximum time reserved for a single NTP server query
|
|
+# in seconds.
|
|
+#
|
|
+# querytime_max 15
|
|
+
|
|
+# Sensor data maximum valid age in seconds.
|
|
+#
|
|
+# sensor_data_maxage 900
|
|
+
|
|
+# Sensor default reference ID string.
|
|
+#
|
|
+# sensor_default_refid "HARD"
|
|
+
|
|
+# Sensor query interval in seconds.
|
|
+#
|
|
+# sensor_query_interval 15
|
|
+
|
|
+# Scan interval for new sensors in seconds.
|
|
+#
|
|
+# sensor_scan_interval 60
|
|
+
|
|
+# Maximum time to wait for a constraint to reply
|
|
+# during OpenNTPD initial automatic mode.
|
|
+#
|
|
+# settime_timeout 100
|