|WARNING: someone's faking a leap second tonight||Marco Marongiu||7/31/12 1:23 PM|
This is just to warn you that there are now some NTP servers around the
globe spreading a leap second announcement for tomorrow 00:00:00 UTC
(so, basically, in a few hours now).
If you didn't take action before the leapocalypse last month, you better
|Re: WARNING: someone's faking a leap second tonight||Jeff Lerman||7/31/12 7:40 PM|
Yes, this affected us. Can someone explain why this was done? Was it designed to be a test of some kind? The Linux leap second kernel bug that was discovered a month ago was only patched on July 17; that patched kernel has presumably not made it to many (most?) people yet. So if it's a test it seems wildly premature.
|Re: WARNING: someone's faking a leap second tonight||E-Mail Sent to this address will be added to the BlackLists||7/31/12 10:05 PM|
If they were pool clocks, anything is possible,
occasionally the date appears to change on some of them.
E-Mail Sent to this address <BlackList@Anitech-Systems.com>
will be added to the BlackLists.
|Re: WARNING: someone's faking a leap second tonight||Marco Marongiu||8/1/12 1:28 AM|
On 01/08/12 04:40, jcle...@gmail.com wrote:I tried to collect some information around the globe, but with scarce/no
feedback. I am *suspecting* that this could be a rather imaginative
attempt to DOS worldwide.
Anyway, a colleague of mine is now hunting down some upstreams that
faked the leap second. If we get something out of his research, I'll let
|Re: WARNING: someone's faking a leap second tonight||Marco Marongiu||8/1/12 5:58 AM|
On 01/08/12 10:28, Marco Marongiu wrote:While my colleague is working with a stratum 1 timekeeper to investigate
this better, I called the people at INRiM in Italy -- INRiM is the
institution responsible for the official Italian time
(http://www.inrim.it/index.shtml). Mr.Pettiti confirmed there was *no*
leap second scheduled yesterday (as we all suspected, right?), so that
is definitely a fake.
It may well be a DOS attempt, but as another colleague of mine suggests,
it could also be a bug in some upstream servers, which didn't disarm the
leap second after June 30th, and propagated it again yesterday.
Question now is: assuming those servers were running ntpd, was such a
bug reported at some point?
|Re: WARNING: someone's faking a leap second tonight||demo...@gmail.com||8/1/12 7:41 AM|
Hi, I tried to find some info because there was other leap second, but I didn't find anything about this issue. Does somebody has some info what happened or know if it was a DOS atack or if it was a problem of the ntp services (I'm using the ntp Dabian pools)?
Thanks in advance
|Re: WARNING: someone's faking a leap second tonight||Marco Marongiu||8/1/12 7:16 AM|
On 01/08/12 14:58, Marco Marongiu wrote:Plus, another question. If one uses the leapfile, are spurious leap
second notifications like this one discarded?
From the docs at http://doc.ntp.org/4.2.6/ntpd.html#leap I can't
understand if the leapseconds file is authoritative at the point that,
if a leap second notification is received for a leap second not in the
file, it is discarded. If so, that would help to avoid spurious leap
seconds like this one.
|Re: WARNING: someone's faking a leap second tonight||steven Sommars||8/1/12 7:33 AM|
I've seen no evidence of a denial of service attack, bugs are more likely.
Several stratum one servers have been advertising LI=1 continuously for
the past month. Others alternate between LI=0 and LI=1.
Most servers claim to run ntpd.
There are over 10 stratum one's that advertise LI=1 as of Wed Aug 1
14:18:51 UTC 2012. Unless this changes another false leap second could
occur on August 31, 2012
On Wed, Aug 1, 2012 at 7:58 AM, Marco Marongiu <bront...@gmail.com>wrote:
> questions mailing list
|Re: WARNING: someone's faking a leap second tonight||Rob||8/1/12 8:54 AM|
steven Sommars <steveso...@gmail.com> wrote:When a leapsecond occurs as a result of these bits that is a bug on
its own, because leapseconds can only occur at the end of a quarter.
|Re: WARNING: someone's faking a leap second tonight||demo...@gmail.com||8/1/12 10:36 AM|
I found that: http://www.greyware.com/kb/kb2012.717.asp
One of my internal NTP servers has the leap flag set to 01. The fake leap second issue was produced in the servers where this NTP server is the time source preferred, so I guess that it was my problem.
In order to check the leap flag I used ntpq.
First I checked what is the preferred NTP server with the "peers" command.
After that I ran the "associations" command in order to obtain the assids of the NTP servers. When I had the assids, I check the status of the NTP servers using the "pstatus" command (usage: pstatus ASSISD_NUMBER). In the "pstatus" output I saw that the "leap" flag is set to 01.
remote refid st t when poll reach delay offset jitter
+ntp0.example.net 184.108.40.206 3 u 783 1024 377 0.296 2.173 0.772
*ntp1.example.net 220.127.116.11 3 u 943 1024 377 0.339 -1.158 0.481
LOCAL(0) .LOCL. 10 l 10h 64 0 0.000 0.000 0.000
ind assid status conf reach auth condition last_event cnt
1 12345 9424 yes yes none candidate reachable 2
2 12346 963a yes yes none sys.peer sys_peer 3
3 12347 8043 yes no none reject unreachable 4
ntpq> pstatus 12346
associd=123456 status=9424 conf, reach, sel_candidate, 2 events, reachable,
srcadr=ntp1.example.net, srcport=123, dstadr=192.168.10.1, dstport=123,
leap=01, stratum=3, precision=-20, rootdelay=124.969, rootdisp=63.766,
reftime=d3c3d39e.c685fc7f Wed, Aug 1 2012 16:11:10.775,
rec=d3c3d7ac.5f9dfe79 Wed, Aug 1 2012 16:28:28.373, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=2.173, delay=0.296, dispersion=15.264, jitter=0.772,
filtdelay= 0.30 0.33 0.30 0.36 0.35 0.35 0.35 0.30,
filtoffset= 2.17 2.01 1.80 1.68 1.49 1.25 1.14 1.00,
filtdisp= 0.00 15.75 31.91 47.49 63.14 78.63 94.43 109.95
|Re: WARNING: someone's faking a leap second tonight||steven Sommars||8/1/12 10:08 AM|
The main standard says a leap second is allowed in any month. That's what
the reference ntpd does.
See ITU-R, TF460, STANDARD-FREQUENCY AND TIME-SIGNAL EMISSIONS.
This link may work:
On the other hand Bulletin C (
ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat) says December or June.
Take your pick.
|Re: WARNING: someone's faking a leap second tonight||praritb...@gmail.com||8/1/12 10:24 AM|
Steven, can you point me to one of those servers? The ones that I've checked all seem to have LI=0.
|Re: WARNING: someone's faking a leap second tonight||Jeff Lerman||8/1/12 11:25 AM|
(for those seeing this a second time, I apologize)
Thanks for the research - very interesting. Which stratum-1 servers are still advertising LI=01? Is it possible to contact their administrators to learn why they might be erroneously advertising? Can you see if those servers have anything in common?
How are the leap-second flags meant to be cleared after a leap second? Is it supposed to be automatic? Is there a bug in some code (ntpd or elsewhere) that is failing to clear the flag in (some versions of) ntp server software? I did check earlier this morning and I was unable to find a bug filed against ntpd regarding this issue - does anyone know if we should go ahead and file a bug? It'd be nice to have more information on whether this is really an ntpd issue.
In general it certainly sounds like there is some brittleness somewhere in the mechanism for clearing the leap-second (LI) flags after the leap second occurs.
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/1/12 12:51 PM|
Right after the real leap second we had some reports from customers who had
observed that the internal leap bits on their NTP servers had not been
cleared after the leap second had occurred.
It turned out this happened with some older versions of ntpd when the
customers had installed e.g. 3 or 4 servers for redundancy, and each NTP
server had the other ones configured as upstream server (personally I know
this is not a good configuration, but they did it anyway). This
configuration seemed to result in a kind of feedback loop for the leap
I'm assuming e.g. an NTP server didn't clear the internal leap status
immediately after the leap second, and when another server polled this one
it still received the leap warning from its upstream server and thus kept
it. The next one received the leap warning from the other two servers, and
This state was persistant for several days after the leap date, and of
course even if ntpd was restarted on only one server it immediatedly
received the leap warning from the other servers again.
The only fix we found was to kill ntpd on *all* involved servers first, so
no ntpd service was available anymore, and then restart the daemons on all
servers one after the other. This caused just a short interruption of the
NTP service for other clients in their networks, but obviously broke up the
leap warning feedback loop.
I didn't expect such behaviour since usually the stratum should have been
used to avoid timing loops, which I would expect to include leap warning
loops, and especially I wouldn't expect that current versions of ntpd
(4.2.6 and newer) could behave this way since they need a majority of
upstream servers providing a leap warning to accept this warning. Hmm, on
the other hand, if all servers have the leap bits set then there *is* a
Anyway, in my opinion it sounds plausible that NTP servers which have hit
such a state will cause the insertion of another leap seconds at the end of
every month, unless the feedback loop is interrupted, especially if this
should happen with NTP versions where the plausibility check for a leap
second only checks for the end of a month (like in current versions) and
not for the end of June or December (like in earlier versions of ntpd).
|Re: WARNING: someone's faking a leap second tonight||E-Mail Sent to this address will be added to the BlackLists||8/1/12 3:11 PM|
Martin Burnicki wrote:What kind of association were they, Peer, Server, AnyCast, ...?
|Re: WARNING: someone's faking a leap second tonight||Chris Adams||8/1/12 6:17 PM|
Once upon a time, Marco Marongiu <bront...@gmail.com> said:I'm still seeing leap=01 from 18.104.22.168 (name1.glorb.com), a
stratum-2 server in the US pool (a few of my systems have it in their
Chris Adams <cma...@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
|Re: WARNING: someone's faking a leap second tonight||Dave Hart||8/1/12 10:57 PM|
On Thu, Aug 2, 2012 at 1:17 AM, Chris Adams wrote:That particular system seems to have corrected its leap indication,
but plenty of other pool participants are advertising leap. I have
this laptop set to associate with every IP in a list of all pool
servers as of late June. The following are showing leap=01 now:
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/2/12 2:04 AM|
E-Mail Sent to this address will be added to the BlackLists wrote:I remember at least one setup with 4 identical servers, where each
server had a local GPS refclock configured (which for sure didn't send
the leap warning anymore after the real leap second had passed) and in
addition had simple "server" entries for the other 3 servers.
Unfortunately this was mostly handled on the phone, so I don't have any
records with details.
Anyway, I'll see if we can install a similar setup here to see if we can
duplicate this behaviour.
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/1/12 11:00 AM|
On 8/1/2012 7:33 AM, steven Sommars wrote:> ques...@lists.ntp.org <mailto:ques...@lists.ntp.org>
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/2/12 7:20 AM|
Jeffrey Lerman wrote:I've just run some tests. On a test machine:
- configured ntpd to use the current leap second file
- configured the local clock as only ref time source
- set the system date/time to 2012-06-30 23:59:45 UTC
- started ntpd
On a different machine:
- ran a test program which sends 4 requests/s to the test machine
and prints the contents of the reply packets, including leap status
Found that with both the current stable version (4.2.6p5) and a current
dev version (4.2.7p290) the leap second warning in the reply packets
already disappeared shortly *before* the leap second actually occurred.
This means if this server sends a reply to a client shortly before the
leap second the leap warning may have already been turned off, and thus
the client might *disarm* the leap second shortly before the leap second
occurs. This sounds like a bug to me, so I'm going to file a bug report
Anyway, this does *not* seem to be directly related to the actual
problem where the leap bit is not reset at all, or is set again if
there's a time source which still has the bit set immediately after the
For completeness I've repeated the same test with the latest version of
the 4.2.4 branch, namely 4.2.4p8. This version of ntpd resets the leap
warning bit in the leap status sent to clients a few seconds *after* the
leap second, so this could be a possible issue for clients accepting a
new leap warning immediately after a leap second has occurred.
I'm sure a bug will be filed, but eventually we should first find out
more details so we can write an appropriate summary of the issue.
|Re: WARNING: someone's faking a leap second tonight||steven Sommars||8/2/12 7:18 AM|
One root cause involves a group of stratum one's peering each other. A
leap indicator can continue to circulate until the peering changes, or the
entire group is simultaneously reinitialized. This affects multiple
commercial server brands.
Is this a problem with some/all versions of ntpd?
> questions mailing list
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/2/12 9:10 AM|
Assuming that the current ntpd design spec is that:
a) Leap second flags can be cleared by EITHER the passage of the
actual leap second, OR the receipt (at any time) of a LI=0 from the
current upstream server
b) Leap second flags can be set by receipt (at any time) of LI != 00
from the current upstream server (or also from reading a leap-second file?)
Then it seems that it's important that the leap status in reply packets
be correct at all times. If there is even the slightest deviation in
the moment at which a server's reply packet LI value changes to 00, then
there will be trouble -- too soon and we risk clients missing the leap,
too late and we risk arming a bogus leap.
Bearing in mind that I don't know if the actual design spec matches what
I wrote in a) above, but assuming for argument's sake that it does: It
seems to me that that's a brittle system. One way to add robustness
would be to program clients to independently set LI=00 during, say the
first half of the month, and to ignore the LI value from servers during
that time. That provides a (very long!) buffer time during which the
server can get around to zeroing the LI field, and should prevent bogus
seconds from propagating easily.
|Re: WARNING: someone's faking a leap second tonight||Richard B. Gilbert||8/2/12 1:42 PM|
Does ANYONE use a stratum 10 server? If so, how good is the time?
Could a dripping faucet do as well or better?
|Re: WARNING: someone's faking a leap second tonight||E-Mail Sent to this address will be added to the BlackLists||8/2/12 2:56 PM|
Richard B. Gilbert wrote:> Does ANYONE use a stratum 10 server?
Sure all the way up to S 15.
I rarely see them getting past S 4 in practice,
except for when fudged / orphaned to a higher stratum.
That would mostly depend on the dispersion
of every server increasing from the root?
Worst of which would being network latency jitter?
Although the poll rate is going to add some?
Likely at least 10ms out,
in practice probably low 100s of ms out from the root,
if they were all non-LAN internet servers
to each other neighbor.
If you have two remote internet locations,
with five free computers at each location,
you could find out for yourself.
and have A1 noselect B10 for comparison.
I guess you could do it with four
at each remote internet location,
if you started with a S2 pool server,
and no selected the S0 & S10 on your S3.
E-Mail Sent to this address <BlackList@Anitech-Systems.com>
will be added to the BlackLists.
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/3/12 1:53 AM|
steven Sommars wrote:Which versions of ntpd are affected is exactly what we need to find out.
As I've mentioned earlier the reports I had heard were from some really
old versions of ntpd (4.2.0*). I don't think there are many pool servers
running such an old version of ntpd, so for me it sounds like this
problem still persists in relatively current versions of ntpd.
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/3/12 2:09 AM|
Jeffrey Lerman wrote:
> Assuming that the current ntpd design spec is that:
> a) Leap second flags can be cleared by EITHER the passage of the
> actual leap second, OR the receipt (at any time) of a LI=0 from the
> current upstream server
> b) Leap second flags can be set by receipt (at any time) of LI != 00
> from the current upstream server (or also from reading a leap-second file?)
> Then it seems that it's important that the leap status in reply packets
> be correct at all times.
On Unix-like systems supporting kernel PLL the leap second warning
received from an upstream server, from a refclock, or from a leap second
file is simply passed down to the kernel, starting an hour or so before
the leap event time.
The kernel then cares about handling of the leap second, so ntpd has to
wait until the kernel has finished doing so, and then ntpd can disarm
its internal leap second warning which is passed to its clients.
> If there is even the slightest deviation in
> the moment at which a server's reply packet LI value changes to 00, then
> there will be trouble -- too soon and we risk clients missing the leap,
> too late and we risk arming a bogus leap.
In my opinion "too soon" would have more impact here since clients could
disarm their leap second handling if they receive a reply from a server
without leap warning shortly before the leap second.
It would be very hard to have ntpd disarm its leap status immediately
when the kernel has finished handling the leap second. It could be
polling the kernel's status to see when the kernel has cleared his leap
flag, but the result would also depend on *when* the *kernel* clears the
> Bearing in mind that I don't know if the actual design spec matches what
> I wrote in a) above, but assuming for argument's sake that it does: It
> seems to me that that's a brittle system. One way to add robustness
> would be to program clients to independently set LI=00 during, say the
> first half of the month, and to ignore the LI value from servers during
> that time. That provides a (very long!) buffer time during which the
> server can get around to zeroing the LI field, and should prevent bogus
> seconds from propagating easily.
That sounds reasonable, and I could have sworn ntpd would refuse to
accept a new leap second warning a few seconds after a leap second had
just occurred. However, this does not seem top be the case.
Maybe a restriction in ntpd to accept incoming leap warnings only during
the last days of a month would help.
|Re: WARNING: someone's faking a leap second tonight||E-Mail Sent to this address will be added to the BlackLists||8/3/12 11:48 AM|
Martin Burnicki wrote:I think you would have to be more exact than that.
LI is used for more than one thing.
According to the doc, LI only applies to the current day?
E-Mail Sent to this address <BlackList@Anitech-Systems.com>
will be added to the BlackLists.
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/3/12 2:04 PM|
That page appears to be out-of-date. The current protocol, for NTP
version 4, is here: http://www.ietf.org/rfc/rfc5905.txt
Note that there was a change from the earlier version, which did say
"current day". Also, the LI ("Leap Indicator") field is only used to
indicate presence/absence of an impending leap second.
The current doc says in part:
The fields and associated packet variables (in parentheses) are
interpreted as follows:
LI Leap Indicator (leap): 2-bit integer warning of an impending leap
second to be inserted or deleted in the last minute of the_*current
month*_with values defined in Figure 9.
| Value | Meaning |
| 0 | no warning |
| 1 | last minute of the day has 61 seconds |
| 2 | last minute of the day has 59 seconds |
| 3 | unknown (clock unsynchronized) |
Figure 9: Leap Indicator
Technically, there should be no need for the 2-week buffer I suggested.
However, it shouldn't hurt, and seems likely to add robustness. The
true correct solution would be to ensure that ntpd clients pay as much
attention to LI=00 from a server as to LI != 00 (and to fix the bug
Martin filed, in which the LI field goes to 00 in the last second BEFORE
the leap second - oops). Then they would be able to recover gracefully
from a brief persistence of the LI=01 value past the leap second -
assuming that no stratum 1 servers erroneously persisted the LI value.
We really need to understand why that is happening - do we have version
info from the servers that are still doing that?
Another suggestion... Should ntpd require that a stratum-1 server has a
non-expired leap-second file, and that that file should override any
upstream server for the LI data?
On 8/3/2012 11:48 AM, E-Mail Sent to this address will be added to the
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/3/12 2:37 PM|
Oh, my mistake: I quote RFC5905 below, which is for NTPv4, which is
technically in _draft_ status - though it does seem pretty far along and
I believe current ntpd adheres to NTPv4, not v3.
For what it's worth the most recently approved protocol is, technically,
NTPv3, documented in RFC1305 - and that one does say "current day" -
though again, ntpd respects the end-of-month rule.
David Mills' website includes this page:
There one can see two things:
- The idea to let the leap-seconds file override all else when it's
present is already apparently implemented. Good.
- This text:
"When an update is received from a reference clock or downstratum
server, the leap bits are inspected for all survivors of the cluster
algorithm. If the number of survivors showing a leap bit is greater
than half the total number of survivors, a pending leap condition
exists until the end of the current month."
Hmm. No mention of clearing the bit if an update is received that does
NOT show a leap bit. I wonder if that's the problem in a nutshell. Can
anyone demonstrate whether ntpd clears the bit if it is set but an
upstream server is configured and sends an LI=00 update?
|Re: WARNING: someone's faking a leap second tonight||E-Mail Sent to this address will be added to the BlackLists||8/3/12 5:18 PM|
Jeffrey Lerman wrote:See: ntp_proto.c & ntp_timer.c ?
... and platform dependent stuff ?
nt_clockstuff.c e.g. "Disarm leap second only if the leap second is not already in progress"
Dev ver of the moment:
E-Mail Sent to this address <BlackList@Anitech-Systems.com>
will be added to the BlackLists.
|Re: WARNING: someone's faking a leap second tonight||Harlan Stenn||8/3/12 5:08 PM|
Jeff wrote:The NTP code *defines* the spec, and there will be times when the
current spec and the code match, and there are times when the current
code is getting ready to define the *next* spec.
That depends on your definition of "Approved". NTPv3 (RFC 1305) never
made it out of DRAFT status.
RFC 5905 is a "Proposed Standard".
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/3/12 5:22 PM|
Fair enough. Though with a definition like that, it's formally
impossible to distinguish bugs from intentional behavior ("features").
Anyway, I'm guessing you know the design intent, as well as the relevant
implementations, pertaining to the question I posed further down in that
Is the leap bit supposed to be cleared by a client if it gets LI=00 from
a server? Or is the bit only *set* based on information from a server,
and cleared only upon application of the leap second? If the latter is
the current implementation, it might well explain the bogus leap second
behavior many of us saw a few days ago. Unless you have a different
|Re: WARNING: someone's faking a leap second tonight||Harlan Stenn||8/3/12 5:42 PM|
Jeff wrote:I'd have to look all that up, and I know different versions behave
This topic is something that's getting a lot of recent discussion and
|Re: WARNING: someone's faking a leap second tonight||David Woolley||8/4/12 1:07 AM|
Harlan Stenn wrote:I think you mean the "ntpd reference implementation", e.g. Microsoft's
NTP code does not define the standard.
Also, I don't think this is the correct relationship between RFCs and
reference implementations. An RFC specifies the protocol for a specific
reference implementation. If you do more than fix bugs in the reference
implementation, you need a new RFC before it becomes the standard.
|Re: WARNING: someone's faking a leap second tonight||Harlan Stenn||8/4/12 3:10 AM|
David Woolley writes:Yes, thanks...
Yes, and what you describe is the ordinary case.
The reference implementation for NTP is a bit different - any difference
between the specification and the reference implementation is grounds
for careful scrutiny and deliberation. Sometimes the spec is correct.
More often than not, the code is the preferred way to go.
There comes a time when ntp-stable is the "current" RFC code and
specification, and ntp-dev is what we use to start to drive the "next"
version of the RFC. Sometimes there are several releases of the -stable
The push towards an NTP4 RFC began in late '96, with ntp-4.0 being
released in September of '97. The last release in the 4.0 branch was in
January of '00. The 4.1 branch (improvements to the V4 spec, etc.) ran
from August of '01 thru July of '03. The 4.2 branch has run from
October of '03 until now. We're expecting the last release of the 4.2
branch this summer, and after that we'll start on the next branch of the
code (which is still expected to drive the NTPv4 specification forward).
|Re: WARNING: someone's faking a leap second tonight||unruh||8/4/12 9:28 AM|
On 2012-08-04, David Woolley <firstname.lastname@example.org> wrote:And it is a reference implimentation, not the definition. Ie, it is an
implimentation that is supposed to follow the standard. It does not
define the standard.I think that the reference implimentation impliments a specific rfc. Ie,
the rfc comes first.
An rfc is just a request for comments. It is NOT a standard. It may
become one ( although I think none of the ntp rfcs have actually ever
|Re: WARNING: someone's faking a leap second tonight||David Woolley||8/4/12 12:39 PM|
unruh wrote:My understanding is the reverse. My understanding is that the RFC
system requires a reference implementation, to prove that the
specification is implementable, before the specification can be
published as an RFC.
|Re: WARNING: someone's faking a leap second tonight||Richard B. Gilbert||8/4/12 12:47 PM|
It's unlikely to become a standard until people stop tinkering with it!
It's pure hell trying to "standardize" a moving target.
The standard, when published, must satisfy meet the needs of the
community. It won't be easy. We've had something that works for most
of us for the last few years. With a bit of luck we can have "this is
how it works and these are the standards that a conforming
implementation must meet".
Blood will flow before we get a standard we can all agree on.
Hopefully, only people I don't like will be killed. ;-)
|Re: WARNING: someone's faking a leap second tonight||Jeffrey Lerman||8/4/12 11:13 AM|
Yes. The unfortunate combination of the bogus leap second and the
newly-discovered (on July 1) Linux kernel bug related to leap-second
handling means that bogus leap seconds have a much bigger-than-normal
It looks like this recently-filed (and cryptically-named) ntpd bug might
be related to the bogus leap seconds?
http://bugs.ntp.org/show_bug.cgi?id=2246 "sys_leap is stick"
If so, that bug possibly ought to be bumped up in priority.
Meantime if we can confirm that installing a current/valid "leap
seconds" file should block bogus leap seconds, perhaps that could be a
recommended workaround to the bogus leap-seconds issue, until the actual
issue can be patched. Could you comment?
|Re: WARNING: someone's faking a leap second tonight||blu||8/4/12 11:32 AM|
The relationship between a protocol, the RFC that defines it and the
reference implementation (if there is one) is often not straight forward.
The early RFC almost all documented existing programs and the protocols
that they implemented. This tradition has continued to this day because
a working implementation is always preferable to a theoretical set of
standards. However, it is often the case that new standards are designed
by committee, with the (hopefully) best minds debating the features
required. You can get amazing protocols that way, but you can just as
easily end up with something that is never implemented.
In the case of NTP, the reference implementation came before the RFC,
with the RFC basically documenting the protocol that the ref-impl was
already used. Since the ref-impl continues to be an experimental
platform at its core, with most of the protocol controlled by Dr. Mills,
this is still the case.
So, an RFC defines the protocol and it is true that when others seek to
implement NTP, it is the RFC they follow. But the ref-impl is still the
gold standard that the RFC follows. And has been previously noted, this
makes it tricky to fix bugs in the protocol. One needs to be very
careful that the behavior is not intentional and just not yet documented
> questions mailing list
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. - Martin Golding
Brian Utterback - Solaris RPE, Oracle Corporation.
|Re: WARNING: someone's faking a leap second tonight||Harlan Stenn||8/4/12 2:22 PM|
unruh writes:>> Harlan Stenn almost wrote:
>>> The NTP reference implmentation *defines* the spec, and there will
>>> be times when the ...
>You can believe what you want.
In this case you are kinda wrong. But perhaps it's a matter of
The reference implementation *in this case* is the target the RFC
intends to meet. The current RFC is developed and written based on what
the then-current ntp-dev implements.
There comes a time when the RFC is left as a marker and the code moves
on, in preparation for the next RFC.
In general you are right. And in this case most people are interested
in having correct time on their boxes, not a pedantically-correct
implementation of the RFC.
And RFCs can be updated. If there is a bug in them people can choose to
run strictly-compliant broken code or they can apply the fixes.
Other folks may choose to value "better timekeeping" and they can have
what they want, too.
NTPv2 was a standard.
|Re: WARNING: someone's faking a leap second tonight||Nathan Stratton Treadway||8/4/12 3:08 PM|
On Thu, Aug 02, 2012 at 05:57:43 +0000, Dave Hart wrote:
> On Thu, Aug 2, 2012 at 1:17 AM, Chris Adams wrote:
> > I'm still seeing leap=01 from 22.214.171.124 (name1.glorb.com), a
> > stratum-2 server in the US pool (a few of my systems have it in their
> > list).
> That particular system seems to have corrected its leap indication,
I noticed that name1.glorb.com is annoucing a leap second insertion
again just now:
# date -u; ntpq -c "rv 0 leap,stratum,refid" name1.glorb.com
Sat Aug 4 21:55:10 UTC 2012
leap=01, stratum=2, refid=126.96.36.199
It seems that one (and only one) of its upstream servers is also showing
# ntpq -c "lassoc" -c "mrv &1 &999 leap,srcadr,stratum" name1.glorb.com | grep -E "leap=([^0].|.[^0])"
srcadr=truechimer.cites.illinois.edu, leap=01, stratum=1
srcadr=time-b.nist.gov, leap=11, stratum=1
So it appears in this case "name1"'s leap flag does come and go over
time... but it's not as simple "use the current system peer's leap flag
value" (since the currently-listed refid [188.8.131.52] is a server
that does NOT have the leap flag set...).
Nathan Stratton Treadway - nath...@ontko.com - Mid-Atlantic region
Ray Ontko & Co. - Software consulting services - http://www.ontko.com/
GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239
Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/5/12 3:03 AM|
Nathan Stratton Treadway wrote:The command above doesn't report the version of the NTP daemon running on
date -u; /usr/sbin/ntpq -p -c rv name1.glorb.com
So 5. Aug 09:52:26 UTC 2012
remote refid st t when poll reach delay offset jitter
-navobs1.oar.net .GPS. 1 u 108 256 377 11.545 -5.508 0.118
+clock.nyc.he.ne .CDMA. 1 u 196 256 377 18.289 -0.053 0.062
*truechimer.cite .PPS. 1 u 153 256 377 14.664 0.049 0.271
-time-b.nist.gov .ACTS. 1 u 719 256 254 27.975 4.316 0.089
-utcnist2.colora .ACTS. 1 u 125 256 377 36.595 0.137 0.039
-navobs1.wustl.e .GPS. 1 u 227 256 377 19.129 -0.140 0.075
-bonehed.lcs.mit .PPS. 1 u 205 256 377 26.380 -3.559 0.115
+navobs1.gatech. .GPS. 1 u 131 256 377 27.583 -0.031 0.128
-50-77-217-185-s .ACTS. 1 u 43 256 277 34.933 -3.199 1.403
-andromeda.cs.pu .CDMA. 1 u 122 256 377 12.729 -2.859 0.138
-nist.netservice .ACTS. 1 u 193 256 377 7.332 3.041 0.081
+ben.cs.wisc.edu .GPS. 1 u 235 256 377 19.632 -0.024 0.067
-rackety.udel.ed .PPS. 1 u 178 256 377 21.960 -2.131 0.035
x184.108.40.206 .ACTS. 1 u 181 256 377 48.526 14.320 0.088
associd=0 status=46f4 leap_add_sec, sync_ntp, 15 events, freq_mode,
version="ntpd email@example.com Wed Nov 24 19:02:25 UTC 2010 (1)",
processor="i686", system="Linux/2.6.32-131.6.1.el6.i686", leap=01,
stratum=2, precision=-20, rootdelay=14.664, rootdispersion=20.099,
reftime=d3c8bd40.03e02317 Sun, Aug 5 2012 11:37:04.015, poll=8,
clock=d3c8c0dc.88fe46f6 Sun, Aug 5 2012 11:52:28.535, state=4,
offset=-0.034, frequency=-356.152, jitter=0.263, noise=0.133,
So this is 4.2.4p8 which (if I remember correctly) accepts an incoming leap
warning even if only a single upstream server from the group of "survivors"
of the clustering algorithm provides it.
A quick inspection of the upstream servers shows indeed that only one of
them is providing the leap warning, namely truechimer.cites.illinois.edu
A 4.2.6 daemon would require a majority of the survivors to provide the leap
warning before it accepted it, so at least this server should not have the
eraaneous leat bit set if it were running 4.2.6.
If I remember correctly then cases like this where the reason why the
requirement of a majority was introduced after 4.2.4.
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/5/12 3:49 AM|
E-Mail Sent to this address will be added to the BlackLists wrote:If we are going to discuss this absolutely in detail the even more things
need to be taken into account, e.g. where the leap second warnings come
from, how long they persist, and how they are passed to NTP.
E.g. the GPS satellites usually start to send information about an upcoming
leap second about 6 months before the leap second event actually occurs,
shortly after the IERS has sent its bulletin C which announces this. The
sats don't simply send a warning flag but the exact UTC time *when* this is
going to happen. So GPS receivers know about the leap second long before it
becomes interesting for NTP.
It depends on the GPS receiver at which time it starts to output a leap
second warning so ntpd can become aware of it, which protocol is used to
pass GPS time to NTP, and if the selected protocol even supports leap
second warnings. Correct me if I'm wrong, but as far as I know there is
e.g. no NMEA sentence providing a leap second warning before the leap
second actually occurs. For operation with NTP it is not sufficient just to
send second 60 *during* the leaps second, i.e. when the leap second is
already in progress.
On the other hand there are string formats supported by the parse river
(driver 8) which do support this.
The German longwave transmitter DCF77 starts to send out a leap second
warning flag only 1 hour before the leap second occurs. This interval may
be long enough to provide the leap warning for stratum 1 and eventually
stratum 2 servers, but it is probably too short for clients at a lower
stratum level if large polling intervals are used, simply because the worst
case summary of polling intervals exceeds the announcement interval.
If IRIG signals are used for refclocks then things are even worse since most
IRIG frame formats don't even support leap second warnings. Only IRIG
formats with extension IEEE 1344 or its successor, IEEE C37.118 support
this, but the announcement interval is only 1 minute or so, which is
definitely to short to pass a leap second warning reliably from an IRIG
controlled stratum-1 NTP server down to a chain of secondaries and clients.
So in some cases like this a leap second file (which needs to be updated
regularly) should at least be a way to get the leap second be handled
On the other hand, if you are using a GPS receiver and a serial string
format providing ntpd with a leap second warning early enough, then you
don't have to care about leap seconds since the GPS receiver gets the
warnings from the satellites, and you don't have to worry if your leap
second file is updated regularly.
If it comes to NTP then you should always mention the version of NTP you are
talking about since the behaviour of leap second handling has changed
across versions, e.g.
- when ntpd starts to accept a leap warning
- from which sources it accepts a leap warning under which conditions: from
a single upstream server (earlier NTP versions) or only from a majority
(current NTP versions), from refclocks, from a leap second file, and which
priorities come into effect if there are upstream servers *and* one or more
refclocks *and* a leap second file, or another combination of those.
- which plausibilty checks ntpd does to avoid erraneaous leap second
warnings: earlier NTP versions inserted a leapsecond only at the end of
June or the end of December, but supported also leap second deletions which
could occur in theory and can also be warned about by GPS, while current
versions of ntpd accept leap second warning for the end of *any* month, but
(as far as I know) don't support leap second deletion anymore at all.
Of course, all of the above is valid only in the absence of firmware bugs or
NTP bugs which can mess up everything.
|Re: WARNING: someone's faking a leap second tonight||Martin Burnicki||8/5/12 4:18 AM|
Jeffrey Lerman wrote:I think a main problem here is that there are many software developers who
are not aware at all that leap seconds exist, or they just don't care.
In the 1980's and 1990's there were leap seconds about once every 12 or 18
months, and most people working on stuff which could be affected by leap
seconds were aware of this and took care the leaps were handled correctly
since the next one was going to come "soon".
Then after Jan 1999 there was suddenly a period of 7 years without any leap
second, and people just forgot about them or didn't really care about leap
seconds anymore. Then for Dec 2005 a new leap second was scheduled which
already caused some trouble, and until the next leap seconds (Dec 2008 and
June 2012) there were intervals of 3 and 3 1/2 years. Hers a link with a
graph showing the UTC time steps due to leap seconds:
|Re: WARNING: someone's faking a leap second tonight||unruh||8/5/12 1:24 PM|
On 2012-08-04, Harlan Stenn <st...@ntp.org> wrote:Except of course that the reference implimentation contains a huge bunch
of stuff that is never intended to be part of the rfc ( the exact order
fo the statements, the exact implimentation details, etc). As it is the
rfc already defines far too many things that are accidents of
theimplimentation rather than design specifications that any
implimentation should meet.
For example the code contains bugs. If the code is supposed to be the
defining structure, then of course there are no bugs, just features. The
leap second hangs the whole implimentation? That is as it should be. The
implimentation does a leapsecond round robin so that it never shuts off?
Thatis as it should be. After all the code defines ntp. That would be an
absurd position to take. Now the RFC may be an abstraction from the
code, but again, one wants to make sure that it is a sufficiently
generic abstraction that may valid implimentations are possible.
They also do not care exactly how that is accomplished-- whether via ntp
or chrony say, as long as it is robust and correct.
But there should be difference between a logical bug in the rfc and a
coding bug in the reference implimentation.
|Re: WARNING: someone's faking a leap second tonight||Harlan Stenn||8/5/12 11:19 PM|
unruh writes:So what? Any implementation has such freedoms.
I don't know. But have you submitted alleged this list to the RFC
Now you just are being silly.
The code has bugs.
The RFC probably has bugs.
Your email has typos (bugs).
Mine probably does too.
What are you talking about? And that was rhetorical, as you're being a
troll and I'm done with this particular interaction after I send this.
What are you talking about? Ibid.
That was better, thanks.
Different perspectives on the issue. From what I've seen Chrony has its
pros and cons. But none of this is related to the discussion above, as
best as I can tell. Unless you want to attempt to assert that chrony is
an NTP reference implementation, which I suspect you are not trying to do.
I don't think you read what I wrote about this. Please go back and look.
The phrase I used ended with "careful scrutiny and deliberation".
|Re: WARNING: someone's faking a leap second tonight||Dick Wesseling||8/6/12 5:44 AM|
In article <501D6636...@gmail.com>,
Jeffrey Lerman <jeffrey...@gmail.com> writes:
> It looks like this recently-filed (and cryptically-named) ntpd bug mightI intended to type "sticky".
|Re: WARNING: someone's faking a leap second tonight||Richard B. Gilbert||8/6/12 12:51 PM|
Proof read before hitting "send"! Especially if you are a poor typist.
I find that a "spelling checker" is a good thing to use.
Of course it won't help much if you type the wrong word!
|unk...@googlegroups.com||8/30/12 10:01 AM||<This message has been deleted.>|
|Re: WARNING: someone's faking a leap second tonight||irte...@gmail.com||8/30/12 10:05 AM|
On Wednesday, August 1, 2012 12:08:40 PM UTC-5, steven Sommars wrote:
> The main standard says a leap second is allowed in any month. That's what
> the reference ntpd does.
> See ITU-R, TF460, STANDARD-FREQUENCY AND TIME-SIGNAL EMISSIONS.
> This link may work:
> On the other hand Bulletin C (
> ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat) says December or June.
> Take your pick.
Yes, for future notifications of the real authority on leap seconds, simply go to http://hpiers.obspm.fr/eop-pc/index.php?index=bulletin_registration&lang=en and add yourself to the C Bulletins. You will receive regular updates on when they will occur, or if the next possible block (December / June) is not to occur.
|Re: WARNING: someone's faking a leap second tonight||Miroslav Lichvar||8/31/12 2:10 AM|
On Thu, Aug 02, 2012 at 05:57:43AM +0000, Dave Hart wrote:> but plenty of other pool participants are advertising leap. I have
> this laptop set to associate with every IP in a list of all pool
> servers as of late June. The following are showing leap=01 now:
From that list the following IPv4 servers still seem to be announcing
a pending leap second:
220.127.116.11 United States
18.104.22.168 United States
22.214.171.124 United States
126.96.36.199 United States
188.8.131.52 United States
184.108.40.206 United Kingdom
220.127.116.11 United Kingdom
18.104.22.168 United Kingdom
22.214.171.124 United States
|Re: WARNING: someone's faking a leap second tonight||Terje Mathisen||8/31/12 3:40 AM|
Miroslav Lichvar wrote:I think I know one cause of those leap bits:
Two days ago I was asked to visit a local power company who had ntp
problems, turned out that they had a bunch of routers acting as ntp
relays, all with the leap bit set.
The cause was that they had a pair of Symmetricom 350's as their root
servers, set up as mutual peers, and one of them did indeed claim that a
leap second was upcoming.
I suspect this was caused by the combination of sticky leap bits and a
possible race condition during the actual passing of the leap second on
midnight UTC June 30.
Restarting the faulty ntpd process fixed the server issue but they still
had to find time to restart all their distribution routers before
Symmetricom has not released any firmware updates for the 300 series
since last fall.
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"