NTP leap smear incompatibility

Root Cause

An NTP server can be configured to perform a "leap smear" in order to hide a leap second from its clients. Typically, it is used in larger networks with different NTP clients which cannot handle leap seconds in an expected way, or where it would be impractical to configure them all to do that. Some companies use leap-smearing NTP servers internally and also provide that service publicly on the internet.

A leap-smearing NTP server does not announce the leap second in NTP responses to prevent the clients from handling the leap second on their own (e.g. by stepping the clock). It slowly adjusts the served time to compensate for the one-second error. This adjustment usually takes a day and it can be performed before, around, or after the leap second. Different functions for the adjustment can be used (e.g. linear or quadratic).

The leap smear can work well only if the client does not know about the leap second from another NTP server, tzdata (chronyd configured with the leapsectz directive), or a leap file (ntpd configured with the leapfile directive). If it does know about the leap second, it will make its own adjustment of the clock for the leap second, which will be wrong and will have to be corrected again in order to synchronize with the leap-smearing server.

If the client is configured with multiple servers and they don't implement the same leap smear, or they don't all implement a leap smear, the client will get different times from different servers during the leap smear and it may stop updating its clock, or jump randomly between the servers.

It is not possible to detect a leap-smearing server before it starts the leap smear. It is a non-standard behavior (it is not described in the NTP specification) and it needs to be used carefully.