1 files changed, 24 insertions, 2 deletions

diff --git a/contrib/ntp/ntpd/ntp.conf.5mdoc b/contrib/ntp/ntpd/ntp.conf.5mdoc
index c6c7e6c..21806bc 100644
--- a/contrib/ntp/ntpd/ntp.conf.5mdoc
+++ b/contrib/ntp/ntpd/ntp.conf.5mdoc
@@ -1,9 +1,9 @@
-.Dd April 26 2016
+.Dd June 2 2016
 .Dt NTP_CONF 5mdoc File Formats
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
-.\"  It has been AutoGen-ed  April 26, 2016 at 08:28:36 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  June  2, 2016 at 07:36:16 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.conf.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -2440,6 +2440,7 @@ The default value is 46, signifying Expedited Forwarding.
 .Cm calibrate | Cm kernel |
 .Cm mode7 | Cm monitor |
 .Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
@@ -2449,6 +2450,7 @@ The default value is 46, signifying Expedited Forwarding.
 .Cm calibrate | Cm kernel |
 .Cm mode7 | Cm monitor |
 .Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
@@ -2516,6 +2518,26 @@ closes the feedback loop, which is useful for testing.
 The default for
 this flag is
 .Ic enable .
+.It Cm peer_clear_digest_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+is using autokey and it
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the peer variables are immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
 .It Cm stats
 Enables the statistics facility.
 See the