Core: Better defaults for NTP

Or use Google's NTP servers by default

From: Will Jones notifications@github.com
Sent: Friday, February 3, 2017 4:46:23 PM
To: opnsense/core
Cc: Subscribed
Subject: [opnsense/core] Better defaults for NTP (#1374)

Hi,

At the moment the config ships with a single upstream server configured for NTP, using the country specific pool DNS name for Holland, this is likely not quite optimal for everybody as OPN is used worldwide.

Best practices would suggest that 4 upstream servers are configured and that if you are pointing to the pool by default you should either:

1. Apply for a vendor specific zone (http://www.pool.ntp.org/en/vendors.html)

2. Set upstreams as 0/1/2/3.pool.ntp.org

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/opnsense/core/issues/1374, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADddQtplkOwo_DfC-H_l4Y8mC6d7P6s2ks5rY1nfgaJpZM4L2i9v.

Google implements smeared time on their public NTP servers, I'm not sure setting them by default is a good idea. If someone had a device in their network using both their opnsense box and some other upstreams for NTP ideally those servers all need to be referencing servers that smear time or that do not.

Using upstream NTP servers that implement smeared time should be a conscious decision for people in my opinion, not something we set by default.

We should request the vendor pool and use it. Some more requests from a crash report love letter via @roger225:

According to this page.
http://www.pool.ntp.org/join/configuration.html
.
I have to use these line in /var/etc/ntpd.conf make the ntp public server work.

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

I modify the /usr/local/etc/inc/plugins.inc.d/ntpd.inc in a temporary way, because I don't have enough web development knowledge XD
(https://github.com/roger225/ntp-public-server-opnsense)

Perhaps you can add a checkbox which will write the upper lines in /var/etc/ntpd.conf for ntp public server using.
It will be very helpful.

What I did manually: Set my ISP NTP server and three from NTP pool from my country. Maybe that's an option to?

You can manually set whatever you want frankly, though using the country specific NTP pools is no longer recommended by the people that run them.

This request was about having better /default/ settings, not what you manually set.

Hopefully Fitch will be able to get a custom vendor pool set up for the NTP pool and that will be used by default, people can then change that if they want to but it is a better option than pointing to a single reference using the .nl pool server.

@willjones Thanks for pointing to the recommendation to not use country specific pools any more, I wasn't aware of this. For the records:

Looking up pool.ntp.org (or 0.pool.ntp.org, 1.pool.ntp.org, etc) will usually return IP addresses for servers in or close to your country. For most users this will give the best results

However my suggestion was not to set it manually but, to consider set the ISPs NTP server (if possible) together with some pool addresses as default.

I just re-read the "recommendation" of the ntp pool guys - in my opinion this is NOT a recommendation to not use contury specific pools.

Looking up pool.ntp.org (or 0.pool.ntp.org, 1.pool.ntp.org, etc) will usually return IP addresses for servers in or close to your country. For most users this will give the best results.

But if you read on from there there is another quote:

You can also use the continental zones (For example europe, north-america, oceania or asia.pool.ntp.org), and a country zone (like ch.pool.ntp.org in Switzerland) - for all these zones, you can again use the 0, 1 or 2 prefixes, like 0.ch.pool.ntp.org. Note, however, that the country zone might not exist for your country, or might contain only one or two timeservers.

In the end there is just the recommendation to use the pool directly because it is the easiest solution for most users. When using the country specific pools there is definitely no recommendation to not use them, but only a warning in case your country pool contains only a little number of servers.

And from the vendor page:

You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance.

so, what do we do now?! :)

I'd strongly recommend to apply for a vendor zone here: https://manage.ntppool.org/manage/vendor

Quoting http://www.pool.ntp.org/en/vendors.html:

• _Audience for this document [...] some other kind of software using NTP_
• _Get your vendor zone |...] You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance._ (personal note: as they use the plural, this includes the default country pools in my opinion)

So I think the best way is to apply for the vendor zone opnsense.pool.ntp.org - then they will set up those hostnames:

• 0.opnsense.pool.ntp.org
• 1.opnsense.pool.ntp.org
• 2.opnsense.pool.ntp.org
• 3.opnsense.pool.ntp.org

It would be very nice if this could be done now, so then the default could be this vendor specific hosts for OPNsense 18.1 :-)

Thanks Werner, submitted vendor zone application now.

So, follow up, do we only set "opnsense.pool.ntp.org" or do we use "0.opnsense.pool.ntp.org" or do we use multiple "x.opnsense.pool.ntp.org" servers in the default config (if the latter, how many)?

You have to mandatory use a digit {0,1,2,3} upfront. The name opnsense.pool.ntp.org will not return a DNS A-record, only 0.opnsense.pool.ntp.org, 1.opnsense.pool.ntp.org, 2.opnsense.pool.ntp.org and 3.opnsense.pool.ntp.org will return a valid DNS record.

Quoting http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-SERVER-NUMBER:

• _What is the rule of thumb for number of servers to synchronize to? It is entirely up to you and your tolerance for outages. Obviously you have some tolerance, or you would be buying GPS receivers and installing your own stratum-1 servers. But three is a good place to start, and you can progress to three-groups-of-three if you feel the need. Remember that network outages are at least as likely as timeserver outages, so if you only have one network path to the outside world then adding a lot more timeservers doesn't really improve your reliability (your ISP is the single-point-of-failure)._

On http://www.pool.ntp.org/en/vendors.html they mention some other Implementation specifics: _You can choose either to implement a full ntpd server or a simpler SNTP implementation. A few more pointers and ground-rules:_

• _Only use the pool.ntp.org hostnames designated to you (typically {0,1,2,3}.{vendor}.pool.ntp.org)_
• _Do implement handling of the "KoD" response_
• _Don't send excessively frequent queries. Reasonable query intervals are typically from once or twice a day to a 4-5 times an hour depending on the application. Really consider how often the device will need "fresh time". A standard ntpd or openntpd server works, too._
• _Do have your devices query the NTP servers at random times of the day. For example every 43200 seconds since boot is good, at midnight every day is bad._
• _Read the new SNTP RFC if you are implementing an SNTP client._

I'm not 100% sure how the current OPNsense NTP configuration fits all these requirements. Here is /var/etc/ntpd.conf from my OPNsense 17.7:

#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.de.pool.ntp.org iburst maxpoll 9


disable monitor
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap

Maybe we should check the man page https://www.freebsd.org/cgi/man.cgi?ntpd(8) to ensure that OPNsense's ntp configuration is as good as it could be? (@fichtner I could take a look on it, if none of your team has currently time for this - just let me know)

Good news everyone!

Your vendor pool zone "opnsense" has been setup.  The
hostnames are below.  They will be active within a few hours.
  0.opnsense.pool.ntp.org
  1.opnsense.pool.ntp.org
  2.opnsense.pool.ntp.org
  3.opnsense.pool.ntp.org