1 files changed, 24 insertions, 2 deletions

diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5
index 4e45240..42af4a5 100644
--- a/usr.sbin/ntp/doc/ntp.conf.5
+++ b/usr.sbin/ntp/doc/ntp.conf.5
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
 .Dt NTP_CONF 5 File Formats
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp.mdoc)
 .\"
 .\" $FreeBSD$
 .\"
-.\"  It has been AutoGen-ed  April 26, 2016 at 08:28:36 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  June  2, 2016 at 07:36:16 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp.conf.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -2442,6 +2442,7 @@ The default value is 46, signifying Expedited Forwarding.
 .Cm calibrate | Cm kernel |
 .Cm mode7 | Cm monitor |
 .Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
@@ -2451,6 +2452,7 @@ The default value is 46, signifying Expedited Forwarding.
 .Cm calibrate | Cm kernel |
 .Cm mode7 | Cm monitor |
 .Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
 .Oc
 .Xc
@@ -2518,6 +2520,26 @@ closes the feedback loop, which is useful for testing.
 The default for
 this flag is
 .Ic enable .
+.It Cm peer_clear_digest_early
+By default, if
+.Xr ntpd 8
+is using autokey and it
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the peer variables are immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
 .It Cm stats
 Enables the statistics facility.
 See the