diff options
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.def')
-rw-r--r-- | contrib/ntp/ntpd/ntp.conf.def | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.def b/contrib/ntp/ntpd/ntp.conf.def index 4993e0215476..a62e97650739 100644 --- a/contrib/ntp/ntpd/ntp.conf.def +++ b/contrib/ntp/ntpd/ntp.conf.def @@ -2442,6 +2442,7 @@ The default value is 46, signifying Expedited Forwarding. .Cm calibrate | Cm kernel | .Cm mode7 | Cm monitor | .Cm ntp | Cm stats | +.Cm peer_clear_digest_early | .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc @@ -2451,6 +2452,7 @@ The default value is 46, signifying Expedited Forwarding. .Cm calibrate | Cm kernel | .Cm mode7 | Cm monitor | .Cm ntp | Cm stats | +.Cm peer_clear_digest_early | .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc @@ -2518,6 +2520,26 @@ closes the feedback loop, which is useful for testing. The default for this flag is .Ic enable . +.It Cm peer_clear_digest_early +By default, if +.Xr ntpd 1ntpdmdoc +is using autokey and it +receives a crypto-NAK packet that +passes the duplicate packet and origin timestamp checks +the peer variables are immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . .It Cm stats Enables the statistics facility. See the |