Need trusted NTP Sources

Nick Hilliard nick at
Thu Feb 6 12:09:24 UTC 2014

On 06/02/2014 11:46, Notify Me wrote:
> We're a redhat shop, and we  use redhat auth which by default uses redhat
> NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.

PCI DSS states:

> 10.4.3 Time settings are received from industry-accepted time sources.

The default RHEL time servers are defined as  Many people
would consider as industry-accepted, and there are several PCI-DSS
auditing companies out there who explicitly recommend using
for this purpose.

If that's not good enough, the PCI DSS standards explicitly state in the
NTP interpretation section:

> More information on NTP can be found at, including
> information about time, time standards, and servers.

So, if PCI themselves view as being authoritative about NTP I can't
see any reason why the time servers they publish wouldn't pass an audit.


More information about the NANOG mailing list