This week, I discovered a bug with NTP in 10.6 that was preventing NTP from syncing on my servers at work. So, their times were all over the place. The worst being about 5 minutes off from another (one was 2 minutes fast, the other was 3 minutes slow). While I don’t use Kerberos, this time difference could have been enough for things to get out of wack.
So, what was the bug? Basically, ntp doesn’t pay attention to whether IPv6 is available or not, and if AAAA records are available for the NTP server you’re using, and IPv6 is disabled, NTP will fail, and never sync. So, let me explain a bit more.
First, get a 10.6 box up and going, on a network that supports IPv6. This might be a bit of a problem for some, but…
Next, disable IPv6 on the 10.6 box.
Now, try something like an ntptrace against an NTP server that has both IPv4 and IPv6 information in DNS.
Watch ntptrace die with:
ntpq: connect: No route to host
ntpq -n -c rv ntp.example.com failed at /usr/sbin/ntptrace line 39.
So now, try an ntptrace against the IPv4 address that ntp.example.com resolves to. Works doesn’t it! Next, try ntptrace against a NTP server that doesn’t have an AAAA record. It also works.
I reported this bug to Apple as 7858336, and within a couple hours, I got back a response saying it was a duplicate of 6736177. So, I’m not the first to find this issue. My hope is that it’s a bug with ntptools only, and not something larger (like the whole dns resolution system). But, I haven’t found anything else that exhibits this problem.
So, for now, I’ve changed my NTP settings to hit against a “hidden” ntp server on campus that doesn’t have an AAAA record. Hopefully this issue will be resolved with 10.6.4, because this certainly is an issue for organizations that are trying to be IPv6 friendly.
As for the question of why I’ve got IPv6 disabled? It traditionally hasn’t gotten along with Xsan. So, it’s off. Simple as that.
Oh, and it seems time.apple.com (the default NTP server for 10.6 (that at least 10.5 before that) systems) doesn’t have any IPv6 info, so it works just fine.
Double “oh”… if you don’t know how to check to see if your time server has an AAAA record, just do this in terminal:
`dig aaaa ntp.example.com` (where ntp.example.com is the server in question).
Good luck, and let’s all hope Apple gets this fixed.