NTP question

James R Cutler james.cutler at consultant.com
Thu May 2 19:07:41 UTC 2019


> On May 2, 2019, at 2:44 PM, Harlan Stenn <stenn at nwtime.org> wrote:
> 
> 
> 
> On 5/2/2019 9:13 AM, James R Cutler wrote:
>>> On May 2, 2019, at 10:59 AM, William Herrin <bill at herrin.us
>>> <mailto:bill at herrin.us>> wrote:
>>> 
>>> On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn at nwtime.org
>>> <mailto:stenn at nwtime.org>> wrote:
>>> 
>>>    It's not clear to me that there's anything *wrong* with using the
>>>    pool,
>>>    especially if you're using our 'pool' directive in your config file.
>>> 
>>> 
>>> The one time I relied on the pool I lost sync a year later when all
>>> three servers the configuration picked withdrew time services and the
>>> still-running ntp client didn't return to the names to find new ones.
>>> Wonderful if that's fixed now but the pool folks argued just as
>>> strongly for using it back then.
>>> 
>>> Also, telling the security auditor that you have no idea who supplies
>>> your time source is pretty much a non-starter. You can convince them
>>> of a lot of things but you can't convince them it's OK to have no idea
>>> where critical services come from.
>>> 
>>> That's what's wrong with the pool.
>>> 
>>> Regards,
>>> Bill Herrin
>>> 
>>> 
>>> -- 
>>> William Herrin ................ herrin at dirtside.com
>>> <mailto:herrin at dirtside.com>  bill at herrin.us <mailto:bill at herrin.us>
>>> Dirtside Systems ......... Web: <http://www.dirtside.com/>
>> 
>> I have only ever used the pool as a supplement to other servers. Here is
>> a snippet from ntp.conf that was found in the bottom of a locked filing
>> cabinet stuck in a disused lavatory with a sign on the door saying
>> 'Beware of the Leopard.’ *
>> 
>>    #External Time Synchronization Source Servers
>>    #
>>    servertick.usno.navy.mil# open access
>>    servertime.apple.com <http://time.apple.com># open access
>>    serverTime1.Stupi.SE# open access
>>    serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open
>>    access
>>    server0.pool.ntp.org <http://0.pool.ntp.org># open access
>>    server1.pool.ntp.org <http://1.pool.ntp.org># open access
>>    server2.pool.ntp.org <http://2.pool.ntp.org># open access
> 
> I recommend you replace the above 3 lines with:
> 
> pool CC.pool.ntp.org
> 
> where CC is an appropriate country code or region.
> 
> H
> --
>>    servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open
>>    access
>>    servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open
>>    access
>>    servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access
>>    #
>> 
>> 
>> I have not kept up with pool changes since then.
>> 
>> *Apologies to Douglas Adams
> 
> -- 
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!

Harlan,

That is good advice.  

Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client.

The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type. 

Thank you.

	Jim
-
James R. Cutler
James.cutler at consultant.com
GPG keys: hkps://hkps.pool.sks-keyservers.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190502/0d63f91f/attachment.html>


More information about the NANOG mailing list