On May 2, 2019, at 2:44 PM, Harlan Stenn <stenn@nwtime.org> wrote:
On 5/2/2019 9:13 AM, James R Cutler wrote:
On May 2, 2019, at 10:59 AM, William Herrin <bill@herrin.us <mailto:bill@herrin.us>> wrote:
On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn@nwtime.org <mailto:stenn@nwtime.org>> wrote:
It's not clear to me that there's anything *wrong* with using the pool, especially if you're using our 'pool' directive in your config file.
The one time I relied on the pool I lost sync a year later when all three servers the configuration picked withdrew time services and the still-running ntp client didn't return to the names to find new ones. Wonderful if that's fixed now but the pool folks argued just as strongly for using it back then.
Also, telling the security auditor that you have no idea who supplies your time source is pretty much a non-starter. You can convince them of a lot of things but you can't convince them it's OK to have no idea where critical services come from.
That's what's wrong with the pool.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com <mailto:herrin@dirtside.com> bill@herrin.us <mailto:bill@herrin.us> Dirtside Systems ......... Web: <http://www.dirtside.com/>
I have only ever used the pool as a supplement to other servers. Here is a snippet from ntp.conf that was found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.’ *
#External Time Synchronization Source Servers # servertick.usno.navy.mil# open access servertime.apple.com <http://time.apple.com># open access serverTime1.Stupi.SE# open access serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open access server0.pool.ntp.org <http://0.pool.ntp.org># open access server1.pool.ntp.org <http://1.pool.ntp.org># open access server2.pool.ntp.org <http://2.pool.ntp.org># open access
I recommend you replace the above 3 lines with:
pool CC.pool.ntp.org
where CC is an appropriate country code or region.
H --
servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open access servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open access servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access #
I have not kept up with pool changes since then.
*Apologies to Douglas Adams
-- Harlan Stenn, Network Time Foundation http://nwtime.org - be a Member!
Harlan, That is good advice. Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client. The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type. Thank you. Jim - James R. Cutler James.cutler@consultant.com GPG keys: hkps://hkps.pool.sks-keyservers.net