The project is a big virtual cluster of timeservers providing reliable easy to use NTP service for millions of clients.

The pool is being used by millions or tens of millions of systems around the world. It’s the default “time server” for most of the major Linux distributions and many networked appliances (see information for vendors).

The NTP package in Debian Lenny uses the NTP pool, so when a user installs NTP on their home machine, it Just Works. Unfortunately, the SCSS firewall blocks NTP traffic for all hosts except our NTP server, breaking the default configuration for users on our network. Rather than reconfiguring every client, I configured bind on our DNS servers to hijack the domain, answering nearly all requests for hosts in that domain with the address of our NTP server. This means that a user can get a working NTP installation with just:

apt-get install ntp

The sole exception is I want the URL to work in a user’s browser. Although does resolve to our NTP server, the web server running on that host redirects requests for to, so that URL works too.

The bind zone file is quite short:

; ----------------------------------------------------------------------
; Zonefile to hijack the domain, so NTP clients use our local
; NTP server instead of futilely trying to get through the firewall.
; ----------------------------------------------------------------------

$TTL      1D

@      IN SOA (
                2009052001  ; Serial
                2H          ; Refresh - how often slaves
                            ; check for changes.
                2H          ; Retry - how often slaves will
                            ; retry if checking for changes
                            ; fails
                14D          ; Expire - how long slaves
                            ; consider their copies fo our
                            ; zone to be valid for
                6H          ; Minimum

            ; Name server records
            IN NS
            IN NS
            IN NS
            IN NS

            ; There are no MX records, because doesn't have any.

; This makes work, but of course the real address could
; change at any time.
; resolves to
; We can't use a CNAME, because bind complains that the record has
; "CNAME and other data", and ignores it.
@		IN A
; * resolves to

You can play with it using commands like:


Our NTP server ( is part of the NTP pool, and can be used by anybody, but you’re probably better off using the pool.