Hello,

Yesterday the NIST has updated its official leap-seconds file, available
at , to include the
next 31 December 2008 23:59:60 UTC leap second insertion.

HOWTO make use of this file for ntpd? Following are two step-by-step
procedures, one for ntp-stable, the other for ntp-dev, and then some
notes at the end. First procedure is for ntp-stable releases, up to any
4.2.4 revision. On your master NTP server(s), do as root:

0) If you use autokey authentication, cd to the keysdir directory, and
goto step (3).


1) Create an /etc/ntp.keysdir/ directory, cd there, and create host
parameters (as if you were using the autokey feature):

| # mkdir /etc/ntp.keysdir
| # cd /etc/ntp.keysdir/
| # ntp-keygen -H -p password


2) Add to /etc/ntp.conf those two lines:

| keysdir /etc/ntp.keysdir/
| crypto pw password


3) Download the NIST leapseconds file leap-seconds.3427142400 (or the
latest) from ftp://time.nist.gov/pub/ by passive ftp. Then make a
symlink from the generic name ntpkey_leap to the file:

| # wget --passive-ftp ftp://time.nist.gov/pub/leap-seconds.3427142400
| # ln -s leap-seconds.3427142400 ntpkey_leap


4) Restart the NTP daemon. After it is synced, you can verify all worked
well using the ntpq readvar command, by looking at the date of last
modification of the data, and checking the current TAI offset:

| $ ntpq -c "rv 0 leap,leapsec,tai"
| assID=0 status=4234 leap_none, sync_lf_clock, 3 events, event_peer/strat_chg,
| leap=00, leapsec=200808080000, tai=33


------------------------------------------------------------------------
Now the procedure for ntp-dev snapshots, soon to be 4.2.6 stable
release.
------------------------------------------------------------------------
1) Download to /etc the NIST leapseconds file leap-seconds.3427142400
(or the latest) from ftp://time.nist.gov/pub/ by passive ftp. Then
make a symlink from the generic name ntp.leap to the file:

| # cd /etc/
| # wget --passive-ftp ftp://time.nist.gov/pub/leap-seconds.3427142400
| # ln -s leap-seconds.3427142400 ntp.leap


2) Add to /etc/ntp.conf this line:

| leapfile /etc/ntp.leap


3) Restart the NTP daemon. After it is synced, you can verify all worked
well using the ntpq readvar command, by checking the current TAI
offset, looking at the date of the (future) leap event, and at the
validity limit of the leapfile:

| $ ntpq -c "rv 0 leap,tai,leapsec,expire"
| associd=0 status=0259 leap_none, sync_lf_radio, 5 events, leap_armed,
| leap=00, tai=33, leapsec=200901010000, expire=200906280000


------------------------------------------------------------------------
Notes:
------------------------------------------------------------------------
- On 22 July I posted here on cptn a non-official preliminary
leap-seconds.3424118400 file. It's essentially the same as the now
released official one, so there is no need to update it. But you can, if
you prefer official things.

- You can apply this procedure on all hosts running ntpd, only on
servers, or even only on your clique of lowest stratum master servers.
In any case the leap bits will flow down on clients. And additionally,
if you use autokey, the data in the file (not the file itself) will be
sent to the authenticating clients, with the implied TAI offset.

- NIST leap-seconds file has an expiration date, currently 28 June 2009
which is 2 days before the following possibility of a leap second event.
Make sure to refresh the file before this limit, at anytime between
February and May 2009. Refresh every 6 monthes.

- Usage of a leapfile and of the new orphan mode together is dangerous:
Under some circumstances, it can lead an orphan parent to miss the leap.
While all its orphan children and simple clients do leap. During the
following minutes, those children and clients will step forward,
intoxicated by the now wrong time of their parent server. There is no
known solution to avoid for sure this potential risk, other than:
Use leapfile, or use orphan mode, but not both.
------------------------------------------------------------------------


Hoping this can help, Serge.
--
Serge point Bets arobase laposte point net