Or you could just concede the fact that the navy is playing with time travel again.
The lesson is: use MORE THAN TWO diverse NTP sources.
A man with two watches has no idea what the time it actually is.
Per David Mills, from the discussion linked upthread, this should be FOUR OR MORE...
"Every critical server should have at least four sources, no two from the
same organization and, as much as possible, reachable only via diverse,
nonintersecting paths."
Four, so that the remaining three can reach consensus even if one fails.
-- Neil
Guys:
We were synchronized against multiple sources. Unfortunately the Navy NTP source contaminated multiple downstream sources.
Unless you can trace all your sources, if these sources all have a root source you will break.
Sid Rao | CTI Group | +1 (317) 262-4677
"... against multiple [Stratum 1] sources..."
Baby, if you've ever wondered... whether it matters whether your sources
are strat 1 or not, now you know -- since there's no real way to get
provenance on down-strat time sources that I'm aware of.
Does the NTP code, people who know, give any extra credence to strat-1
sources in it's byzantine code?
Cheers,
-- jra
Not in a way that matters if one of them suddenly becomes a
falseticker. If a reference clock goes insane, it's pretty easily
detected provided you have at least two more servers (or even
peers configured.)
Stratum 1 just means it thinks it has a reference clock
attached, but those clocks fail, go into holdover, what have you
all the time.
NTP will happily select a stratum 2 or lower clock instead
provided it appears stable (low jitter, responded to our last 255
queries, and is an eligible candidate.)
To get an idea what your NTP server will do, try ntpq -p:
msa@paladin:/home/msa (582)$ ntpq -p
remote refid st t when poll reach delay offset
jitter