Image of Cortney & Jeremy

OpenBSD Violates NTP Pool Guidelines

by Jeremy L. Gaddis on July 1, 2015 · 0 comments

in Uncategorized

Note: When I began writing this, I was going to go into a lot more detail, explaining ntpd (the reference implementation), OpenNTPD, the NTP Pool Project, etc. I may do that in a follow-up post but, for now, I’ll keep it short and to the point.

The NTP Pool Project has a set of “basic guidelines” whose intended audience is “anyone distributing an appliance, operating system or some other kind of software using NTP”. This almost certainly includes OpenBSD (an operating system) which ships with OpenNTPD (an NTP implementation).

The NTP Pool Project‘s “Basic guidelines” clearly state:

“Do not use the standard pool.ntp.org names as a default configuration in your system.”

A little further down, to reiterate the importance of this, they again state (emphasis in the original):

“You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance.”

The next sentence informs the reader, “You can apply for a vendor zone here on the site.”

Just like the label on a hair dryer that warns one not to use it while in the shower, these guidelines exist for a reason (cf. “Flawed Routers Flood University of Wisconsin Internet Time Server“, for example).

OpenBSD, however, has chosen to flagrantly ignore them.

OpenNTPD is included as part of OpenBSD’s “base system”. Version 1.13 (dated 2015/05/18) of it’s default configuration file, /etc/ntpd.conf, includes the following:


# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org

N.B.: This isn’t a recent change, either — it’s been there since 2004.

I was going to write to one of the OpenBSD mailing lists about this, thinking that perhaps it was simply an oversight. Before I did, however, I searched the archives to see if it had been discussed before. I discovered that it had — almost five years ago.

In that thread, Theo de Raadt wrote:

We don’t intend to change anything.

Their decrees are meaningless. They don’t provide the ntp traffic,
they only provide DNS records. As written, those rules are designed
to let the people at ntp.org impose a punishing policy against those
they don’t like.

Those rules do not improve time distribution. It is just control
freak behaviour.

This blatant violation of the guidelines is made even worse by what I discovered while writing this:


$ dig +short {0,1,2,3}.openbsd.pool.ntp.org
173.44.32.10
208.75.88.4
66.228.35.252
98.191.213.12
108.61.73.243
96.44.142.5
70.35.113.43
199.7.177.206
129.6.15.28
69.50.219.51
66.175.209.17
65.182.224.39
216.229.4.66
129.250.35.251
192.155.90.13
132.163.4.101

An “openbsd” vendor zone is already available for their use. Adherence to the guidelines would require, at minimum, a one-line change to /etc/ntpd.conf:


-servers pool.ntp.org
+servers 0.openbsd.pool.ntp.org

Leave a Comment

Previous post: