ntpMerlin ntpMerlin v3.x

[Jack Yaz]

format usb and starting from scratch solved the issue
Thanks

new theory, chrony was seg faulting due to corrupted filesystem on the USB

 

[JohnD5000]

Simple chrony list which could be used just about anywhere. I don't iburst these because I have an NTP server on my LAN which I iburst instead.

pool time.apple.com
pool time.cloudflare.com nts

I only have the ntpMerlin set with chrony. This is my current list. Do you think it is OK for Mass or should I make adjustments?

pool time.cloudflare.com iburst nts
pool time.apple.com iburst
pool time.facebook.com iburst
pool time.google.com iburst
pool time.nist.gov iburst

 

[XIII]

It's hard to find the list with NTS servers...

(Maybe we need a new post where the first post is updated to remain recent?)

Do we already have these?

• nts.netnod.se
• sth1.nts.netnod.se
• sth2.nts.netnod.se

Source: https://www.netnod.se/time-and-frequency/how-to-use-nts

 

[MvW]

It's hard to find the list with NTS servers...

(Maybe we need a new post where the first post is updated to remain recent?)

Do we already have these?

• nts.netnod.se
• sth1.nts.netnod.se
• sth2.nts.netnod.se

Source: https://www.netnod.se/time-and-frequency/how-to-use-nts

You did see the list I created a few pages back? http://www.snbforums.com/threads/ntpmerlin-v3-x.68508/post-680984

I'm having some other issues, at the moment, so I haven't been able to update it.

According to Martin Langer, the developer of the NTS protocol, there's no official list. The RFC is quite recent and isn't yet broadly implemented. See this article and the comments:

Setting up NTS-Secured NTP with NTPsec

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany. In the previous po…

weberblog.net

 

[XIII]

These should also work, but don't for me (KeyID, Type, and KLen are 0):

• gbg1.ntp.se
• gbg2.ntp.se
• mmo1.ntp.se
• mmo2.ntp.se
• sth1.ntp.se
• sth2.ntp.se
• svl1.ntp.se
• svl2.ntp.se

Source: https://www.ntp.se

 

[XIII]

You did see the list I created a few pages back? http://www.snbforums.com/threads/ntpmerlin-v3-x.68508/post-680984

Yes, that's the list I was referring to.

Because it's somewhere within this thread I have trouble finding it...

 

[MvW]

These should also work, but don't for me (KeyID, Type, and KLen are 0):

• gbg1.ntp.se
• gbg2.ntp.se
• mmo1.ntp.se
• mmo2.ntp.se
• sth1.ntp.se
• sth2.ntp.se
• svl1.ntp.se
• svl2.ntp.se

Source: https://www.ntp.se

There's a possibility you need to import a key/certifcate first, to be able to use them, but I haven't gotten around to figure out how that works. There's a folder created for it. If you look at the comments of the link I posted above you'll find some examples.

 

[XIII]

There's a possibility you need to import a key/certifcate first, to be able to use them, but I haven't gotten around to figure out how that works. There's a folder created for it. If you look at the comments of the link I posted above you'll find some examples.

I contacted Netnod and they replied that currently only the Stockholm servers support NTS (but they are planning to implement it on the other sites too).

Network Time Security | Netnod

What is NTS? A lot of the Internet’s most important security tools are dependent on accurate time. But until recently there was no way to ensure that the time you were getting came from a trusted source. The new Network Time Security (NTS) standard has been designed to fix that.

www.netnod.se

 

[MvW]

I contacted Netnod and they replied that currently only the Stockholm servers support NTS (but they are planning to implement it on the other sites too).

And by the Stockholm servers, do you mean:

• sth1.nts.netnod.se
• sth2.nts.netnod.se

or

• sth1.ntp.se
• sth2.ntp.se

?

 

[EmeraldDeer]

I only have the ntpMerlin set with chrony. This is my current list. Do you think it is OK for Mass or should I make adjustments?

pool time.cloudflare.com iburst nts
pool time.apple.com iburst
pool time.facebook.com iburst
pool time.google.com iburst
pool time.nist.gov iburst

That is OK. I think it is too many, though. Facebook and Google do leap second smearing (and in different ways), so I would not use them.

 

[XIII]

And by the Stockholm servers, do you mean:

• sth1.nts.netnod.se
• sth2.nts.netnod.se

or

• sth1.ntp.se
• sth2.ntp.se

?

I have this in my config:

server nts.netnod.se iburst nts
server sth1.nts.netnod.se iburst nts
server sth2.nts.netnod.se iburst nts

And get this output from chronyc -N authdata:

nts.netnod.se                NTS     ...
sth1.nts.netnod.se           NTS     ...
sth2.nts.netnod.se           NTS     ...

And get this output from chronyc selectdata:

+ ntsts.sth.ntp.se          Y ...
+ ntsts.sth1.ntp.se         Y ...
+ sth2-ts.nts.netnod.se     Y ...

 

[MvW]

My output:

marco@RT-AC86U:/tmp/home/root# chronyc -N authdata
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
netmon2.dcs1.biz             NTS     2   15  256 1180    0    0    2  104
ntp1.glypnod.com             NTS     1   15  256  37h    0    0    8  104
ntp2.glypnod.com             NTS     9   15  256 116m    0    0    2  104
ntpmon.dcs1.biz              NTS    10   15  256  917    1    0    2  104
nts.netnod.se                NTS     1   15  256  21m    2    0    0    0
nts.ntp.se                   NTS     1   15  256  21m    2    0    0    0
nts.sth1.ntp.se              NTS     1   15  256  21m    2    0    0    0
nts.sth2.ntp.se              NTS     1   15  256  21m    2    0    0    0
nts.time.nl                  NTS     1   15  256  37h    0    0    7  104
ptbnts2.ptb.de               NTS     0    0    0    -    5    0    0    0
ptbnts3.ptb.de               NTS     0    0    0    -    5    0    0    0
ptbtime1.ptb.de              NTS    13   15  256  662    0    0    8  100
ptbtime2.ptb.de              NTS     3   15  256  529    1    0    5  100
ptbtime3.ptb.de              NTS     1   15  256  43m    0    0    1  100
sth-ts.nts.netnod.se         NTS     0    0    0    -    5    0    0    0
sth1-ts.nts.netnod.se        NTS     0    0    0    -    5    0    0    0
sth2-ts.nts.netnod.se        NTS     0    0    0    -    5    0    0    0
timemaster.evangineer.net    NTS     1   15  256  66m    0    0    8  100
time.cloudflare.com          NTS     4   15  256  58m    0    0    5  100
time.cloudflare.com          NTS     7   15  256  925    0    0    8  100
[CODE]

The two German servers aren't operational (#2 should be, but isn't, #3 isn't yet) so they time out all the time, nts.netnod.se does connect in my case and sth-ts, sth1-ts and sth2-ts.nts.nednod.se actively refuse connections all three, with could be a certificate issue, but I haven't had time to dive into it.

As for your request for a list: one will be created (and maintained) on Github soon.

 

[JohnD5000]

That is OK. I think it is too many, though. Facebook and Google do leap second smearing (and in different ways), so I would not use them.

Thanks, I'll remove them. Should iburst be on all of them? Should I keep the nts on cloudfare?

pool time.cloudflare.com iburst nts
pool time.apple.com iburst
pool time.nist.gov iburst

 

[MvW]

Question: I was browsing chrony.conf and I just noticed that the maxdrift value is set at 100 (commented). When looking at the drift file in /opt/var/lib/chrony/drift I see way lower values:

marco@RT-AC86U:/tmp/home/root# cat  /opt/var/lib/chrony/drift
           -0.281546             0.042619

The values in the config as well as in the drift file are both in ppm, right? Is there any reason why I shouldn't edit the value in chrony.conf from 100 to 5, for example? Or even lower? That way I can take temperature changes in account, but the default value of a 100 (even though it's commented by default) seems ridiculously high.

With one exception, drift does never seem to get above 4 ppm:

 

[EmeraldDeer]

Thanks, I'll remove them. Should iburst be on all of them? Should I keep the nts on cloudfare?

pool time.cloudflare.com iburst nts
pool time.apple.com iburst
pool time.nist.gov iburst

I would just use iburst on Apple which gives the best time. Unless you notice that time.apple.com is down from time to time, I would think it is better to set the clock initially from the pool with the lowest standard deviation.

I am keeping nts enabled on Cloudflare. It is nice to have a reference which is very difficult to man in the middle.

 

[Wade Coxon]

The values in the config as well as in the drift file are both in ppm, right? Is there any reason why I shouldn't edit the value in chrony.conf from 100 to 5, for example? Or even lower? That way I can take temperature changes in account, but the default value of a 100 (even though it's commented by default) seems ridiculously high.

With one exception, drift does never seem to get above 4 ppm:

There is no need to change that. That default value of 100 is just a cap on the maximum amount of drift compensation that the chrony daemon can apply when it is in between polls from upstream ntp servers. It is just to stop the drift value being set to some insanely high value. It will otherwise do nothing of use.

 

[MvW]

There is no need to change that. That default value of 100 is just a cap on the maximum amount of drift compensation that the chrony daemon can apply when it is in between polls from upstream ntp servers. It is just to stop the drift value being set to some insanely high value. It will otherwise do nothing of use.

But if I know the default average drift value, wouldn't it make more sense to cap it that point, instead of a value of 100? A lower value improves accuracy in case an 'exotic' time is served, I assume?

 

[Wade Coxon]

But if I know the default average drift value, wouldn't it make more sense to cap it that point, instead of a value of 100? A lower value improves accuracy in case an 'exotic' time is served, I assume?

That scenario should never arise so long as you have a good number of servers from a variety of providers. The chances of all servers simultaneously slewing consistently in the same direction for any length of time should be vanishingly small. That's about the only way your router would perceive a fake drift.

Given the typical stability that these routers' clocks seem to exhibit, I doubt the actual drift would ever exceed 20ppm. Setting a cap at 25ppm would then make a sensible "sane limit". I would definitely not set it any lower.

 

[archiel]

Question: I was browsing chrony.conf and I just noticed that the maxdrift value is set at 100 (commented). When looking at the drift file in /opt/var/lib/chrony/drift I see way lower values:

marco@RT-AC86U:/tmp/home/root# cat  /opt/var/lib/chrony/drift
           -0.281546             0.042619

The values in the config as well as in the drift file are both in ppm, right? Is there any reason why I shouldn't edit the value in chrony.conf from 100 to 5, for example? Or even lower? That way I can take temperature changes in account, but the default value of a 100 (even though it's commented by default) seems ridiculously high.

With one exception, drift does never seem to get above 4 ppm:

Looing at the chrony manual changing maxdrift is unlikely to have any effect (chrony – chrony.conf(5))

maxdrift drift-in-ppm
This directive specifies the maximum assumed drift (frequency error) of the system clock. It limits the frequency adjustment that chronyd is allowed to use to correct the measured drift. It is an additional limit to the maximum adjustment that can be set by the system driver (100000 ppm on Linux, 500 ppm on FreeBSD, NetBSD, and macOS 10.13+, 32500 ppm on Solaris).

By default, the maximum assumed drift is 500000 ppm, i.e. the adjustment is limited by the system driver rather than this directive.

 

[heysoundude]

With one exception, drift does never seem to get above 4 ppm:

and with only one exception does it meaningfully exceed 3ppm.
I would say that's pretty solid and wouldn't want to poke any bears.
Your "temp-correlated" idea is an interesting one, however; I wonder if the boss will put the time in to get that factor incorporated into any of the graphs, or if he deems it largely irrelevant/useless to most users. I'd say for it to be valid, processor load and possibly data throughput might have to be added into any metrics taken into consideration...but just because we have the power to examine these things, and graph them, doesn't mean we have to use it, right?