Issue

I need to generate a standard /etc/chrony.conf file which will be routinely deployed on all RHEL7 servers via puppet. Historically, the default pre-RHEL7 ntp /etc/ntp.conf file that we have been deploying has been as follows:

driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
broadcastdelay 0.008
server <server1>
server <server2>

I have subsequently formed the following /etc/chrony.conf file. Could you please sanity check this file for correctness? Also, in respect to the chronyd options, I didn’t really come across an equivalent as such of the ntp line that I know is recommended as a security standard:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Can I be confident that the chronyd defaults (and what I have put in place in the proposed conf file) would configure chronyd to a similarly secure level? For example, I do not see any Redhat chrony doc references to kod - kiss of death packets:

server <server1>
server <server2>
driftfile /var/lib/chrony/drift                                     
makestep 10 3
logchange 0.5
logdir /var/log/chrony
bindcmdaddress 127.0.0.1
bindcmdaddress -6 ::1
rtcsync
keyfile /etc/chrony.keys
generatecommandkey