On 5/2/2019 7:59 AM, William Herrin wrote:
On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn@nwtime.org <mailto:stenn@nwtime.org>> wrote:
It's not clear to me that there's anything *wrong* with using the pool, especially if you're using our 'pool' directive in your config file.
The one time I relied on the pool I lost sync a year later when all three servers the configuration picked withdrew time services and the still-running ntp client didn't return to the names to find new ones. Wonderful if that's fixed now but the pool folks argued just as strongly for using it back then.
Were you using 'server' entries in your ntp.conf file or a 'pool' directive?
Also, telling the security auditor that you have no idea who supplies your time source is pretty much a non-starter. You can convince them of a lot of things but you can't convince them it's OK to have no idea where critical services come from.
I'm not saying you *should* use the pool, or that you should *only* use the pool. The pool *can* be used responsibly. And I suspect Ask and his crew have documented things well enough that you could point an auditor at the docs for the 'pool' directive and the monitoring efforts that the Pool does, and between that and peering with your other internal S2 sites and some well-chosen external site and perhaps some local refclocks you would be in fine shape.
That's what's wrong with the pool.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com <mailto:herrin@dirtside.com> bill@herrin.us <mailto:bill@herrin.us> Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Harlan Stenn, Network Time Foundation http://nwtime.org - be a Member!