Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Add netnod servers
Add our boilerplate
Other syntax fixes

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Fixes #623

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Welcome to wikipedia :-)

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Signed-off-by: Richard Laager <rlaager@wiktel.com>

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Caught by Richard Laager, thank you.

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Thanks, Richard

Sanjeev Gupta authored Dec 11, 2019 and Richard Laager committed Dec 14, 2019

Thanks, Richard

Suggested-by: James Browning <jamesb.fe80@gmail.com>

A certificate is not quite the same as a public key.  Also, I've
expanded the details on what it means to be "fully chained up".

Rather than using the name of an actual server (which is mentioned above
as such, and thus could be confusing), use "ntp.example.com".

Sanjeev Gupta wanted to capitalize Pool because we are referring to the
specific pool.  I standardized "the NTP Pool", which is something the
NTP Pool website uses to refer to itself.

I also cleaned up some terminology around "subdomains".

This merges the two sections with pool examples together.  It also
addresses the following issues:
1. The claim about the Ubuntu config is simply wrong. It does not look
   like the documentation said it does.
2. The existing example "pool ubuntu.pool.ntp.org" is wrong, as vendor
   subdomains do not resolve without a number.  In other words, that
   example did not even work.
3. Only the "2.(vendor.)pool.ntp.org" names currently support IPv6 (i.e.
   return AAAA records).

This documents everything I've learned about maxclock:

 - Pool entries count towards maxclock, but not minclock.  This is
   arguably a bug, but it is the current behavior and changing it
   breaks backwards compatibility to some degree.

   I posted my experiences here:
     https://lists.ntpsec.org/pipermail/devel/2019-November/008858.html
   saying:
     I have a number of systems with "tos maxclock 11" set explicitly
     and their steady state is 4 pool entries and 7 actual
     associations.

   Hal confirmed here:
     https://lists.ntpsec.org/pipermail/devel/2019-November/008859.html
   saying:
     It uses working slots on the min test but counts pool on
     the max test.

 - maxclock should be an odd number.
   I posted here:
     https://lists.ntpsec.org/pipermail/devel/2019-November/008856.html
   saying:
     http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers
     says "the general rule is for 2n+1 to protect against 'n'
     falsetickers". (It goes on to discuss the exception for n=1, which
     is not relevant here.)
     If that's true, then it seems like odd numbers of servers are
     better, all things being equal.

  - I kept the existing bit about maxclock typically being two greater
    than minclock, but expanded that to "two or three" to be consistent
    with the goal of maxclock being an odd number.

I also added a note about a typical minclock value being 3.  This allows
for protecting against one falseticker.

Among other things, this removes the mention of one hour cookie
rotation.  As noted, that was for testing, but it was removed in 1.1.7.

This is a partial fix for #622.

Everything in docs/pic is installed directly.  That is appropriate for
image files, but not for panda.adoc.

I moved the historical note into ntplogtemp.adoc, which uses panda.gif.

This addresses my comment in #622.

These changes were from the review of my previous changes.

Suggested-by: James Browning <jamesb.fe80@gmail.com>

These are no longer necessary.  I remember this being changed a while
back, but I also personally tested just now that "restrict default"
applies equally to IPv4 and IPv6.

This makes it more clear that this is not an NTPsec limitation.