Contributed by Paul 'WEiRD' de Weerd on from the no time like the present dept.
I have been working on a nice feature that improves startup behaviour of ntpd.
Summary: make sure you have at least one constraint source configured and use no options. ntpd will set the clock if needed, even if you machines has no battery backed up clock and is running a DNSSEC validating resolver.
Previoulsy, using constraints or a DNSSEC validating resolver would break initial time setting, since doing https certificate and DNSSEC validation requires a proper clock. An we do not have that in above circumstances.
In addition to previous work from jsing@ regarding https certificate validation my commits enable time bootstrapping in these adverse conditions.
You want to stop using -s if you did, since the new method is more robust and more secure. (-s trusts any ntp reply, while the new automatic mode only does so if several ntp replies were validated).
The last commit was a few hours ago, upcoming snaps should have all the nice things.
For those that missed it, Otto's last comment about upcoming snaps is a veiled call for testing. Please make sure you give the latest ntpd a spin, and remove the -s option from your configuration if you have it. Many thanks to Otto for improving time sync on our machines!
(Comments are closed)