OpenBSD Journal

ntpd auto time setting

Contributed by Paul 'WEiRD' de Weerd on from the no time like the present dept.

Otto Moerbeek (otto@) has written an update on his recent ntpd(8) work to the tech@ mailinglist:


I have been working on a nice feature that improves startup behaviour of ntpd.

Summary: make sure you have at least one constraint source configured and use no options. ntpd will set the clock if needed, even if you machines has no battery backed up clock and is running a DNSSEC validating resolver.

Previoulsy, using constraints or a DNSSEC validating resolver would break initial time setting, since doing https certificate and DNSSEC validation requires a proper clock. An we do not have that in above circumstances.

In addition to previous work from jsing@ regarding https certificate validation my commits enable time bootstrapping in these adverse conditions.

You want to stop using -s if you did, since the new method is more robust and more secure. (-s trusts any ntp reply, while the new automatic mode only does so if several ntp replies were validated).

The last commit was a few hours ago, upcoming snaps should have all the nice things.


For those that missed it, Otto's last comment about upcoming snaps is a veiled call for testing. Please make sure you give the latest ntpd a spin, and remove the -s option from your configuration if you have it. Many thanks to Otto for improving time sync on our machines!

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]