Bug#1098778: ntpsec: 'pool' directive causes duplicate server entries

Discussion:

Add Reply

Thorsten Glaser

2025-02-23 23:50:01 UTC

Package: ntpsec
Version: 1.2.3+dfsg1-3
Severity: normal
X-Debbugs-Cc: ***@mirbsd.de

With 'pool ntp.hetzner.de' in the config, I get multiple entries
of the same servers in 'ntpq -p':

$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
=======================================================================================================
ntp.hetzner.de .POOL. 16 p - 256 0 0.0000 0.0000 0.0001
[…]
+ntp1.hetzner.de 124.216.164.14 2 u 16 64 77 2.8813 1.9452 1.7062
+ntp3.hetzner.de 237.17.204.95 2 u 14 64 77 0.5138 1.9066 1.7609
+ntp2.hetzner.de 237.17.204.95 2 u 13 64 77 0.4425 1.8438 1.8596
+ntp2.hetzner.de 237.17.204.95 2 u 18 64 77 0.5574 1.9942 1.7072
+ntp3.hetzner.de 237.17.204.95 2 u 14 64 77 0.5078 1.8486 1.7890
+ntp1.hetzner.de 124.216.164.14 2 u 18 64 77 2.8914 1.9385 1.6966

(I omitted the entries from the other pool line here as not important.)

I’ve tested this with and without, and as soon as I add that one pool
line, this happens.

-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ntpsec depends on:
ii adduser 3.137
ii init-system-helpers 1.68
ii libbsd0 0.12.2-2
ii libc6 2.40-7
ii libcap2 1:2.66-5+b1
ii libssl3t64 3.4.1-1
ii netbase 6.4
ii python3 3.13.1-2
ii python3-ntp 1.2.3+dfsg1-3
ii tzdata 2025a-2

Versions of packages ntpsec recommends:
ii cron [cron-daemon] 3.0pl1-192
ii systemd 257.3-1

Versions of packages ntpsec suggests:
pn apparmor <none>
pn certbot <none>
pn ntpsec-doc <none>
pn ntpsec-ntpviz <none>

-- Configuration Files:
/etc/default/ntpsec changed:
NTPD_OPTS="-g -N"
IGNORE_DHCP="yes"
NTPSEC_CERTBOT_CERT_NAME=""

/etc/ntpsec/ntp.conf changed:
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
tos maxclock 11
tos minclock 4 minsane 3
pool ntpxxxxxxxx.org iburst
pool ntp.hetzner.de iburst
restrict default kod nomodify noquery limited
restrict 127.0.0.1
restrict ::1
restrict xxx.xxx.xxx.xx/26
restrict x

Thorsten Glaser

2025-03-03 11:30:02 UTC

Permalink

What does `ntpq -pn` report?
I suspect the answer is that you are getting the server once with IPv4
and once with IPv6.

Bingo.

Incidentally, for the other pool (of a massive size, 4=C3=97Legacy IP,
5=C3=97IPv6) I=E2=80=99m using, I use a specific alias to only get one set,=
to
avoid precisely that=E2=80=A6 unfortunately, the hoster pool doesn=E2=80=99=
t have
this.

Is there a way to say =E2=80=9Cgive me only v4 or only v6 from this pool=E2=
=80=9D
or =E2=80=9Cdeduplicate the pool result based on reverse DNS (checked, i.e.
that forward DNS expands to both IPs again)=E2=80=9D?

The latter, especially, would be useful, also with pool.ntp.org=E2=80=A6

Thanks in advance,
//mirabilos
--=20
18:47=E2=8E=9C<mirabilos:#!/bin/mksh> well channels=E2=80=A6 you see, I see=
everything in the
same window anyway 18:48=E2=8E=9C<xpt:#!/bin/mksh> i know, you have so=
me kind of
telnet with automatic pong 18:48=E2=8E=9C<mirabilos:#!/bin/mksh> ha=
ha, yes :D
18:49=E2=8E=9C<mirabilos:#!/bin/mksh> though that's more tinyirc =E2=80=93 =
sirc is more comfy

Thorsten Glaser

2025-03-03 18:20:01 UTC

Permalink

Post by Thorsten Glaser
Is there a way to say =E2=80=9Cgive me only v4 or only v6 from this pool=

=E2=80=9D

pool -4
pool -6

Ah! I hadn=E2=80=99t tested it as it=E2=80=99s only documented for server,
but it does the job.

Thank you!

The rest really could be fed upstream (while writing the
eMail I forgot whether I was replying upstream or not=E2=80=A6),
but the Debian report can likely be closed.

bye,
//mirabilos
--=20
15:41=E2=8E=9C<Lo-lan-do:#fusionforge> Somebody write a testsuite for hello=
world :-)