> On May 2, 2019, at 2:44 PM, Harlan Stenn <st...@nwtime.org> wrote:
>
>
>
> On 5/2/2019 9:13 AM, James R Cutler wrote:
>>> On May 2, 2019, at 10:59 AM, William Herrin <b...@herrin.us
>>> <mailto:b...@herrin.us>> wrote:
>>>
>>> On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <st...@nwtime.org
>>> <mailto:st...@nwtime.org>> wrote:
>>>
>>> It's not clear to me that there's anything *wrong* with using the
>>> pool,
>>> especially if you're using our 'pool' directive in your config file.
>>>
>>>
>>> The one time I relied on the pool I lost sync a year later when all
>>> three servers the configuration picked withdrew time services and the
>>> still-running ntp client didn't return to the names to find new ones.
>>> Wonderful if that's fixed now but the pool folks argued just as
>>> strongly for using it back then.
>>>
>>> Also, telling the security auditor that you have no idea who supplies
>>> your time source is pretty much a non-starter. You can convince them
>>> of a lot of things but you can't convince them it's OK to have no idea
>>> where critical services come from.
>>>
>>> That's what's wrong with the pool.
>>>
>>> Regards,
>>> Bill Herrin
>>>
>>>
>>> --
>>> William Herrin ................ her...@dirtside.com
>>> <mailto:her...@dirtside.com> b...@herrin.us <mailto:b...@herrin.us>
>>> Dirtside Systems ......... Web: <http://www.dirtside.com/>
>>
>> I have only ever used the pool as a supplement to other servers. Here is
>> a snippet from ntp.conf that was found in the bottom of a locked filing
>> cabinet stuck in a disused lavatory with a sign on the door saying
>> 'Beware of the Leopard.’ *
>>
>> #External Time Synchronization Source Servers
>> #
>> servertick.usno.navy.mil# open access
>> servertime.apple.com <http://time.apple.com># open access
>> serverTime1.Stupi.SE# open access
>> serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open
>> access
>> server0.pool.ntp.org <http://0.pool.ntp.org># open access
>> server1.pool.ntp.org <http://1.pool.ntp.org># open access
>> server2.pool.ntp.org <http://2.pool.ntp.org># open access
>
> I recommend you replace the above 3 lines with:
>
> pool CC.pool.ntp.org
>
> where CC is an appropriate country code or region.
>
> H
> --
>> servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open
>> access
>> servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open
>> access
>> servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access
>> #
>>
>>
>> I have not kept up with pool changes since then.
>>
>> *Apologies to Douglas Adams
>
> --
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!
Harlan,
That is good advice.
Company($dayjob) no longer exists, but I will remember your advice next time I
configure 4 or more Mac minis as an NTP peer group in my home office lab — I
let the last configuration lapse as keeping up with Apple hardware and macOS
changes was challenge enough and I no longer supported Network Time Services
for any $dayjob or client.
The only other note is that, for Company($dayjob), I obtained explicit
permission from each of a set of globally distributed time services (not shown
above). I recommend that any new NTP peer group be configured with as diverse a
set of servers as possible, not limited to just pool and not limited to a
single connection type.
Thank you.
Jim
-
James R. Cutler
james.cut...@consultant.com
GPG keys: hkps://hkps.pool.sks-keyservers.net
