diff --git a/NEWS b/NEWS
index 2096a00cac7e7afde1ddb3d5ad4585e0b560c761..6192ab3cd008a0861b41c60ce590f772489f185b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,10 @@
+release/005.009 (2017-07-07) 
+
+    [ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help 
+    address the timekeeping problem with vmware. This means always reset
+    the clock, even if the new time is more than 1000s away from the 
+    current system time. [ljlgeek]
+
 release/005.008 (2017-06-25)
 
     [ssh] Add $max_sessions options. [adamhl]
diff --git a/files/ntp/etc/ntp.conf b/files/ntp/etc/ntp.conf
index dc2b650c7c227093564c1c0fc01f4dca80d50822..415df2c99fc259f6edc17109448713a330bd7c76 100644
--- a/files/ntp/etc/ntp.conf
+++ b/files/ntp/etc/ntp.conf
@@ -1,3 +1,12 @@
+tinker panic 0
+# ^^^^^^^This should be the first configuration item in the conf file!
+# See "NTP Recommendations"
+# https://kb.vmware.com/selfservice/viewdocument.do?cmd=displayKC&docType=kc&externalId=1006427
+#
+# Always reset the clock, even if the new time is more than 1000s away
+# from the current system time.  We need this on VMs and it shouldn't hurt
+# anywhere else.  
+
 # This is the default site ntpd configuration file.  It queries the three
 # stratum-one time servers, which use GPS receivers for accurate time.  It also
 # queries SRCC's stratum-one time server, located in SRCF, which also uses GPS.
@@ -24,10 +33,5 @@ restrict -6 ::1
 restrict default ignore
 restrict -6 default ignore
 
-# Always reset the clock, even if the new time is more than 1000s away
-# from the current system time.  We need this on VMs and it shouldn't hurt
-# anywhere else.
-tinker panic 0
-
 # Disable the monlist command, since it can be used for a UDP DoS attack.
 disable monitor