NTPsec Project Blog

Version 1.2.4

Fri, 18 Apr 2025 20:16:47 +0000

The NTPsec Project is pleased to announce the tagging of version 1.2.4

waf has been upgraded to version 2.1.4 NB: on Debian, waf now installs Python programs (ntpq, ntpmon, …) in /usr/local/lib/python3.xx/site-packages rather than …/dist-packages A quick fix is to link site-packages to dist-packages before installing. You will have to do that again each time your distro updates to a new version of Python.
Python 2.7 is now the minimum supported version. This is likely to be the last release supporting Python 2.
waf install now tests the installed binaries This will complain if your python search path isn’t working. See README-PYTHON for more info.
waf configure --enable-Werror will turn warnings into errors This lets developers and our CI find warnings in a sea of printout.
Fix ntpviz’s skewness and kurtosis formulas. Fix suggested by Frank Davis.
ntpd now runs on FIPS mode systems.
Clock fuzzing is gone. --disable-fuzz is now standard.
Fix distinct rpeers mode in PeerSummary.summary.
Fix addr2refid to work with FIPS-140-2 mode.
Update the leap-seconds.list source in ntpleapfetch.
Remove obsolete nopeer and notrap mentions from the Access Control List documentation.
ntpd can now listen on a second port. Add either "nts port xxxx" or "extra port xxxx" in your config file. If either is specified, the NTS-KE server will tell the client to use that port. This might help get around some of the blocking or filtering that ISPs are doing to port 123. (Don’t forget to let UDP traffic for that port through your firewall.) I’ve been testing with port 8123.
Client requests will also be sent from that port. Again, that will bypass some port 123 filtering.
NTPsec now builds on Linux armhf. #832
Remove some remnant broadcast/multicast cruft.
Add a ntpdig option to bind to a specific address.
Add an ntpd config file option for the NTS-KE server’s preferred TLS ciphers.
Use ntp_gettime not than ntp_adjtime for local refclcock. Set the lockclock member of loop_data while the config parses, making ntp_adjtiime unusable. Don’t write a drift file while in lockclock mode and claim to slew time so that clients will listen to us,
Work around musl library in Alpine Linux not supporting ntp_gettime.
Remove unused holdover, LOOP_KERN_CLEAR and timetoa from ntpd.
Move toward AES-128 rather than MD5 for mac tests.
Add and revise exponential timing decay and MS-SNTP testing tools.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from https://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76

Remembering Doctor Mills

Sun, 21 Jan 2024 23:00:00 +0000

Remembering Dr Dave Mills

We were sad to learn that the creator of the NTP protocol, Dr David L. Mills PhD has passed away.

Dr Mills designed the NTP distributed algorithm, while also writing and maintaining the reference implementation on the very first experimental inter-networking packet switches that were the creation of the internet.

In that work he was supported by the other founders of the internet, and by skilled developers and maintainers who assisted him, and by a growing collection of skilled developers and maintainers who continued maintaining the work that he started. The maintainers of the NTPsec project count ourselves lucky to be among the people who followed in his work.

The more we discovered reading the sources of his NTP implemention, the more we became aware of his insight, technical ability, and his hope and his dream that this little "inter-network experiment" could grow to be literally world spanning. He was right, we all owe him much.

Thank you, Dr, Mills. The clocks of the world tick together in time in large part due to you.

Version 1.2.3

Sun, 31 Dec 2023 04:52:08 +0000

The NTPsec Project is pleased to announce the tagging of version 1.2.3

Change mode6 alignment to four, which may break some compatibility with classic NTP.
Seccomp should now also yield invalid syscall names when dying.
Make ntpq stop dropping output timestamp leading zeroes.
Update documents in quite a few places.
Reset some stats hourly, even when not logged into files.
Add error logging, and stats for ms-sntp.
Add spacing between multiple peer views in ntpq.
We think we have fixed ms-sntp but we can’t test it. If you can test it, please let us know if it does/doesn’t work.
ntpd and ntpq both treat SHA-1 as an alias for SHA1 NIST uses SHA-1. The crypto package from OpenSSL uses SHA1.
The default crypto type for ntpq is now AES. RFC 8573 deprecated MD5.
There are now log files with hourly statistics for NTS and NTS-KE traffic: filegen ntsstats and filegen ntskestats,
Update ntpsnmpd to use python built-in to get uname information. NTPsec/ntpsec#791
Update license file names for REUSE compliance.
Fix ntploggps issue where count_used_satellites checked before it is initialized.
Print out OpenSSL version at configure time.
Enable debug symbols by default, with only an option to disable.
Add support for ecdhcurves list.
Fix build on platforms where -fstack-protector relies on libssp, like musl.
Fix ntpdig crash when using 2.ntp.pool.org with a host without IPv6 support.
Do not install libaes_siv test anymore.
Add update option to buildprep.
ntpdig shows packet delay in JSON output.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from https://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76

Version 1.2.2a

Thu, 03 Aug 2023 22:28:00 +0000

The NTPsec Project is pleased to announce the tagging of version 1.2.2a

Fix a crash in ntpd if NTS is disabled and an NTS-enabled client request (mode 3) is received. (CVE-2023-4012) #794

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from https://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76

Version 1.2.2

Thu, 29 Dec 2022 04:52:00 +0000

The NTPsec Project is pleased to announce the tagging of version 1.2.2

Restore/cleanup NTPv1 support
- ntpq sysstats now shows NTPv1 traffic.
- NTPv1 counter added to sysstats log file.
NTS supports partial wildcards, for example *.example.com
Work on documentation, ntpdate, ntpheat, ntploggpg, ntpq’s sysstats, ntpviz, and seccomp.
NTP auth no longer breaks on NULs.
The NTS server now saves 10 days worth of cookie keys. This will allow clients that only poll once a day to use NTS without using NTS-KE to keep cookies up to date.
rawstats now logs dropped packets and their BOGON code
- Only one per request to avoid DoSing the log file
- This lets you see packets that take too long.
Add 4 or 6 to DNS/NTS RefID tags to indicate that the DNS or NTS-KE has succeeded but NTP has not worked yet.
Build improvements
- Respect --notests configure option for build
- Add --enable-attic (default off)
- Restore Python 2.6 support
- Restore LibreSSL support
- Add support for OpenSSL 3.0
Fix hash validation in ntpleapfetch again.
FreeBSD now gets nanosecond resolution on receive time stamps.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from https://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76

Version 1.2.1

Mon, 07 Jun 2021 05:00:00 +0000

version 1.2.1

The NTPsec Project is pleased to announce the tagging of version 1.2.1

Update ntpkeygen/keygone to properly filter # characters. (CVE-2021-22212)

Add dextral peers mode in ntpq and ntpmon.

Drop NTPv1 as the support was not RFC compliant, maybe v2 except mode 6 next.

Fix argument P for ntpd parsing fixed and ntpdate improvements.

Fix crash for raw ntpq readvar.

Add processor usage to NTS-KE logging except on NetBSD.

Remove --build-epoch and replace it with arbitrary --build-desc text. Passing '--build-desc=$(date -u +%Y-%m-%dT%H:%M:%Sz)' restores the previous default extended version.

The build epoch has been replaced with a hardcoded timestamp which will be manually updated every nine years or so (approx 512w). This makes the binaries reproducible by default.

Compare versions of ntp.ntpc and libntpc printing a warning if mismatched. Fix libntpc install path if using it.

Reduce maxclocks default to 5 to reduce the NTP pool load.

Print LIBDIR during ./waf configure.

Add documentation, new GPG key, and other cleanups.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from ftp://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76

Version 1.2.0

Tue, 06 Oct 2020 05:00:00 +0000

version 1.2.0

The NTPsec Project is pleased to announce the tagging of version 1.2.0

The minor version bump is to indicate official official support of RFC8915 "Network Time Security for the Network Time Protocol" which was released 2020-09-30.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from ftp://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id E57235D22764129FA4F2F4D17F52608ED0E49D76 which is a new key.

About today

On this day in 1783, Benjamin Hanks received a patent for a self-winding clock he planned to install in the Old Dutch Church in Kingston, New York, supposedly making it the first public clock in what became the New York City metropolitan area.

Version 1.1.9

Sat, 23 May 2020 00:00:00 +0000

version 1.1.9

The NTPsec Project is pleased to announce the tagging of version 1.1.9

This should be the last point release of NTPsec before the Network Time Security RFC is approved by the IETF. We expect to release 1.2.0 when that happens.

Analysis shows that CVE-2020-11868, affecting NTP Classic, cannot affect us, as the peer mode involved has been removed.

For other changes since the previous release, please consult the project NEWS.adoc file at https://gitlab.com/NTPsec/ntpsec/-/blob/master/NEWS.adoc

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from ftp://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id B48237761A2690222C995F445A22E330161C3978

About today

Today is Blursday, Maprilay 84th, 2020, of the COVID-19 panic.

On this day, in 1844, the first commerical telegraph line came online.

Copyright statements do not need the year

Sat, 15 Feb 2020 02:00:00 +0000

Copyright statements do not need the year

I need to preface this post with the statement that I am not a lawyer, and that I am not speaking on behalf of my dayjob employer.

There is no need to include the year in a copyright declaration statement. And related, there is no need to update the year statement, add new year statements, manage year range statements, or any of that stuff. It is tedious, boring, adds no value, and prevents no risks.

Several large legally sophisticated companies, include Amazon, Google, Microsoft, and Facebook, are now publishing open source code with copyright statements without a year.

And so, I have added the following to our devel/hacking document.

Do not specify a year in a copyright statement. Most of the existing copyright statements already present in the project have been scrubbed of the year. There is no need to specify the year in a copyright statement. Several large legally sophisticated companies, include Amazon, Google, Microsoft, and Facebook, are now publishing open source code with copyright statements without a year. We encourage the larger open source community to emulate this.

Being able to do this now has taken a surprisingly large amount of work behind the scenes, especially on the part of those large companies. Do please take advantage of it, and write simpler copyright statements in your open source projects from now on.

Version 1.1.8

Sun, 17 Nov 2019 00:00:00 +0000

version 1.1.8

The NTPsec Project is pleased to announce the tagging of version 1.1.8

As aways, the most accurate record of changes is in the NEWS file, the git log, and the git history.

This version has fixes and tweaks to handling certs for NTS.

We have also removed the last #define _XOPEN_SOURCE, as well as removing many other now unneeded #ifdefs, and cleaned up warnings and build issues for several OS targets. See the git history for details.

Getting this release

You can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git and you can download the release tarballs with sums and signatures from ftp://ftp.ntpsec.org/pub/releases/

This release is signed with the GPG key id B48237761A2690222C995F445A22E330161C3978