Update the NEWS file so we note the default disable of mode 7 requests

bk: 4eb4b512O-jx-s-epS2A75g9mitvfQ

diff --git a/ChangeLog b/ChangeLog
index 3913883b1e0a23c8d11de7ec7305b9c26eb52aa0..41e2a5f999577088ea3e0f4d9a509bafc88e573b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* Update the NEWS file so we note the default disable of mode 7 requests.
 (4.2.7p231) 2011/11/03 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1940] ignore auth key if hex decoding fails.
 * Add ntpq reslist command to query access restrictions, similar to

diff --git a/NEWS b/NEWS
index 76e305126396bc702cc8e0c1750608ca40473af1..a9a85d1344aaa20fba59c1eaefc0a03f8fe7f80e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ NTP 4.2.8-
 
 Important Changes
 
+* Internal NTP Era counters
+
 The internal counters that track which "era" (range of years) we are in
 rolls over every 136 years'.  The current "era" started at the stroke of
 midnight on 1 Jan 1900, and ends just before the stroke of midnight on
@@ -16,6 +18,39 @@ This check "looks back" 10 years, and "looks forward" 126 years.
 
 So if you have a system that ...
 
+* ntpdc responses disabled by default
+
+Dave Hart writes:
+
+For a long time, ntpq and its mostly text-based mode 6 (control) 
+protocol have been preferred over ntpdc and its mode 7 (private 
+request) protocol for runtime queries and configuration.  There has 
+been a goal of deprecating ntpdc, previously held back by numerous 
+capabilities exposed by ntpdc with no ntpq equivalent.  I have been 
+adding commands to ntpq to cover these cases, and I believe I've 
+covered them all, though I've not compared command-by-command 
+recently. 
+
+As I've said previously, the binary mode 7 protocol involves a lot of 
+hand-rolled structure layout and byte-swapping code in both ntpd and 
+ntpdc which is hard to get right.  As ntpd grows and changes, the 
+changes are difficult to expose via ntpdc while maintaining forward 
+and backward compatibility between ntpdc and ntpd.  In contrast, 
+ntpq's text-based, label=value approach involves more code reuse and 
+allows compatible changes without extra work in most cases. 
+
+Mode 7 has always been defined as vendor/implementation-specific while 
+mode 6 is described in RFC 1305 and intended to be open to interop 
+with other implementations.  There is an early draft of an updated 
+mode 6 description that likely will join the other NTPv4 RFCs 
+eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
+
+For these reasons, ntpd 4.2.7p230 by default disables processing of 
+ntpdc queries, reducing ntpd's attack surface and functionally 
+deprecating ntpdc.  If you are in the habit of using ntpdc for certain 
+operations, please try the ntpq equivalent.  If there's no equivalent, 
+please open a bug report at http://bugs.ntp.org./
+
 --- 
 NTP 4.2.6p5-RC1 (Harlan Stenn <stenn@ntp.org>, 2011/10/xx)