Ubuntu 16 NTP notes

I love NTP. What’s it look like in Ubuntu 16? ntpd is pretty much the same, but some change or things I’ve never noticed before.

Debug mode 7 queries are now entirely disabled. The ntpdc program basically doesn’t work; you use ntpq instead. Given the number of times this protocol has been used in a UDP amplification DDOS, it’s a necessary change.

ntpd is started with the -g flag. This flag allows NTP to set the system clock once no matter how far out of sync it is. The default behavior is to never move the clock more than 1000s as a sort of sanity check. In practice it’s usually the client that’s insane, not the server.

servers are now configured like this

pool 0.ubuntu.pool.ntp.org iburst

“iburst” means the ntpd will try 8 times in 16 seconds to reach an unreachable server. The “pool” directive is not in the man pages, but these docs explain it. It tells ntpd to use DNS differently, to look up random new IP addresses every time. I’m not positive but I think ntpd still isn’t smart enough to look up a new pool IP address every few days or when a server goes offline. But at least it’ll get different IP addresses for the same hostname.

In addition to ntpdate/ntpd, Ubuntu also now provides timedatectl and systemd-timesyncd, part of the systemd hydra. It’s not very well documented; see Arch’s docs and this announcement. It’s a lightweight client-only time synchronizer. That seems like a good idea for security / client footprint. But it may be a bit too lightweight. It sounds like it only gets time from one server, for instance, and I wonder if they’re doing the PLL clock syncing that makes ntpd so good. systemd’s stuff gets out of the way if you are running ntpd.