James R Cutler
james.cutler at consultant.com
Thu May 2 19:07:41 UTC 2019
> On May 2, 2019, at 2:44 PM, Harlan Stenn <stenn at nwtime.org> wrote:
> On 5/2/2019 9:13 AM, James R Cutler wrote:
>>> On May 2, 2019, at 10:59 AM, William Herrin <bill at herrin.us
>>> <mailto:bill at herrin.us>> wrote:
>>> On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn at nwtime.org
>>> <mailto:stenn at nwtime.org>> wrote:
>>> It's not clear to me that there's anything *wrong* with using the
>>> especially if you're using our 'pool' directive in your config file.
>>> The one time I relied on the pool I lost sync a year later when all
>>> three servers the configuration picked withdrew time services and the
>>> still-running ntp client didn't return to the names to find new ones.
>>> Wonderful if that's fixed now but the pool folks argued just as
>>> strongly for using it back then.
>>> Also, telling the security auditor that you have no idea who supplies
>>> your time source is pretty much a non-starter. You can convince them
>>> of a lot of things but you can't convince them it's OK to have no idea
>>> where critical services come from.
>>> That's what's wrong with the pool.
>>> Bill Herrin
>>> William Herrin ................ herrin at dirtside.com
>>> <mailto:herrin at dirtside.com> bill at herrin.us <mailto:bill at herrin.us>
>>> Dirtside Systems ......... Web: <http://www.dirtside.com/>
>> I have only ever used the pool as a supplement to other servers. Here is
>> a snippet from ntp.conf that was found in the bottom of a locked filing
>> cabinet stuck in a disused lavatory with a sign on the door saying
>> 'Beware of the Leopard.’ *
>> #External Time Synchronization Source Servers
>> servertick.usno.navy.mil# open access
>> servertime.apple.com <http://time.apple.com># open access
>> serverTime1.Stupi.SE# open access
>> serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open
>> server0.pool.ntp.org <http://0.pool.ntp.org># open access
>> server1.pool.ntp.org <http://1.pool.ntp.org># open access
>> server2.pool.ntp.org <http://2.pool.ntp.org># open access
> I recommend you replace the above 3 lines with:
> pool CC.pool.ntp.org
> where CC is an appropriate country code or region.
>> servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open
>> servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open
>> servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access
>> I have not kept up with pool changes since then.
>> *Apologies to Douglas Adams
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!
That is good advice.
Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client.
The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type.
James R. Cutler
James.cutler at consultant.com
GPG keys: hkps://hkps.pool.sks-keyservers.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG