<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class="">On May 2, 2019, at 2:44 PM, Harlan Stenn <<a href="mailto:stenn@nwtime.org" class="">stenn@nwtime.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><br class=""><br class="">On 5/2/2019 9:13 AM, James R Cutler wrote:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">On May 2, 2019, at 10:59 AM, William Herrin <<a href="mailto:bill@herrin.us" class="">bill@herrin.us</a><br class=""><<a href="mailto:bill@herrin.us" class="">mailto:bill@herrin.us</a>>> wrote:<br class=""><br class="">On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <<a href="mailto:stenn@nwtime.org" class="">stenn@nwtime.org</a><br class=""><<a href="mailto:stenn@nwtime.org" class="">mailto:stenn@nwtime.org</a>>> wrote:<br class=""><br class="">    It's not clear to me that there's anything *wrong* with using the<br class="">    pool,<br class="">    especially if you're using our 'pool' directive in your config file.<br class=""><br class=""><br class="">The one time I relied on the pool I lost sync a year later when all<br class="">three servers the configuration picked withdrew time services and the<br class="">still-running ntp client didn't return to the names to find new ones.<br class="">Wonderful if that's fixed now but the pool folks argued just as<br class="">strongly for using it back then.<br class=""><br class="">Also, telling the security auditor that you have no idea who supplies<br class="">your time source is pretty much a non-starter. You can convince them<br class="">of a lot of things but you can't convince them it's OK to have no idea<br class="">where critical services come from.<br class=""><br class="">That's what's wrong with the pool.<br class=""><br class="">Regards,<br class="">Bill Herrin<br class=""><br class=""><br class="">-- <br class="">William Herrin ................ <a href="mailto:herrin@dirtside.com" class="">herrin@dirtside.com</a><br class=""><<a href="mailto:herrin@dirtside.com" class="">mailto:herrin@dirtside.com</a>>  <a href="mailto:bill@herrin.us" class="">bill@herrin.us</a> <<a href="mailto:bill@herrin.us" class="">mailto:bill@herrin.us</a>><br class="">Dirtside Systems ......... Web: <<a href="http://www.dirtside.com/" class="">http://www.dirtside.com/</a>><br class=""></blockquote><br class="">I have only ever used the pool as a supplement to other servers. Here is<br class="">a snippet from ntp.conf that was found in the bottom of a locked filing<br class="">cabinet stuck in a disused lavatory with a sign on the door saying<br class="">'Beware of the Leopard.’ *<br class=""><br class="">    #External Time Synchronization Source Servers<br class="">    #<br class="">    servertick.usno.navy.mil# open access<br class="">    <a href="http://servertime.apple.com" class="">servertime.apple.com</a> <<a href="http://time.apple.com" class="">http://time.apple.com</a>># open access<br class="">    serverTime1.Stupi.SE# open access<br class="">    <a href="http://serverntps1-0.uni-erlangen.de" class="">serverntps1-0.uni-erlangen.de</a> <<a href="http://ntps1-0.uni-erlangen.de" class="">http://ntps1-0.uni-erlangen.de</a>># open<br class="">    access<br class="">    <a href="http://server0.pool.ntp.org" class="">server0.pool.ntp.org</a> <<a href="http://0.pool.ntp.org" class="">http://0.pool.ntp.org</a>># open access<br class="">    <a href="http://server1.pool.ntp.org" class="">server1.pool.ntp.org</a> <<a href="http://1.pool.ntp.org" class="">http://1.pool.ntp.org</a>># open access<br class="">    <a href="http://server2.pool.ntp.org" class="">server2.pool.ntp.org</a> <<a href="http://2.pool.ntp.org" class="">http://2.pool.ntp.org</a>># open access<br class=""></blockquote><br class="">I recommend you replace the above 3 lines with:<br class=""><br class=""> pool <a href="http://CC.pool.ntp.org" class="">CC.pool.ntp.org</a><br class=""><br class="">where CC is an appropriate country code or region.<br class=""><br class="">H<br class="">--<br class=""><blockquote type="cite" class="">    <a href="http://servernist1-nj2-ustiming.org" class="">servernist1-nj2-ustiming.org</a> <<a href="http://nist1-nj2-ustiming.org" class="">http://nist1-nj2-ustiming.org</a>># open<br class="">    access<br class="">    <a href="http://servernist1-chi-ustiming.org" class="">servernist1-chi-ustiming.org</a> <<a href="http://nist1-chi-ustiming.org" class="">http://nist1-chi-ustiming.org</a>># open<br class="">    access<br class="">    <a href="http://servernist1-pa-ustiming.org" class="">servernist1-pa-ustiming.org</a> <<a href="http://nist1-pa-ustiming.org" class="">http://nist1-pa-ustiming.org</a>># open access<br class="">    #<br class=""><br class=""><br class="">I have not kept up with pool changes since then.<br class=""><br class="">*Apologies to Douglas Adams<br class=""></blockquote><br class="">-- <br class="">Harlan Stenn, Network Time Foundation<br class=""><a href="http://nwtime.org" class="">http://nwtime.org</a> - be a Member!<br class=""></div></div></blockquote><br class=""></div><div>Harlan,</div><div><br class=""></div><div>That is good advice.  </div><div><br class=""></div><div>Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client.</div><div><br class=""></div><div>The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type. </div><div><br class=""></div><div>Thank you.</div><div><br class=""></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Jim</div><div>-</div><div><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal; border-spacing: 0px; -webkit-text-decorations-in-effect: none;"><span class="Apple-style-span" style="border-collapse: separate; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal; border-spacing: 0px; -webkit-text-decorations-in-effect: none;"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; font-size: 12px; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal; -webkit-text-decorations-in-effect: none;"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal; -webkit-text-decorations-in-effect: none;"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal; -webkit-text-decorations-in-effect: none;"><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">James R. Cutler</div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><a href="mailto:James.cutler@consultant.com" class="">James.cutler@consultant.com</a></div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">GPG keys: <a href="hkps://hkps.pool.sks-keyservers.net" class="">hkps://hkps.pool.sks-keyservers.net</a></div></div></span></span></span></span></span></div></div></div></div></div></body></html>