> On May 2, 2019, at 2:44 PM, Harlan Stenn <st...@nwtime.org> wrote: > > > > On 5/2/2019 9:13 AM, James R Cutler wrote: >>> On May 2, 2019, at 10:59 AM, William Herrin <b...@herrin.us >>> <mailto:b...@herrin.us>> wrote: >>> >>> On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <st...@nwtime.org >>> <mailto:st...@nwtime.org>> wrote: >>> >>> It's not clear to me that there's anything *wrong* with using the >>> pool, >>> especially if you're using our 'pool' directive in your config file. >>> >>> >>> The one time I relied on the pool I lost sync a year later when all >>> three servers the configuration picked withdrew time services and the >>> still-running ntp client didn't return to the names to find new ones. >>> Wonderful if that's fixed now but the pool folks argued just as >>> strongly for using it back then. >>> >>> Also, telling the security auditor that you have no idea who supplies >>> your time source is pretty much a non-starter. You can convince them >>> of a lot of things but you can't convince them it's OK to have no idea >>> where critical services come from. >>> >>> That's what's wrong with the pool. >>> >>> Regards, >>> Bill Herrin >>> >>> >>> -- >>> William Herrin ................ her...@dirtside.com >>> <mailto:her...@dirtside.com> b...@herrin.us <mailto:b...@herrin.us> >>> Dirtside Systems ......... Web: <http://www.dirtside.com/> >> >> I have only ever used the pool as a supplement to other servers. Here is >> a snippet from ntp.conf that was found in the bottom of a locked filing >> cabinet stuck in a disused lavatory with a sign on the door saying >> 'Beware of the Leopard.’ * >> >> #External Time Synchronization Source Servers >> # >> servertick.usno.navy.mil# open access >> servertime.apple.com <http://time.apple.com># open access >> serverTime1.Stupi.SE# open access >> serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open >> access >> server0.pool.ntp.org <http://0.pool.ntp.org># open access >> server1.pool.ntp.org <http://1.pool.ntp.org># open access >> server2.pool.ntp.org <http://2.pool.ntp.org># open access > > I recommend you replace the above 3 lines with: > > pool CC.pool.ntp.org > > where CC is an appropriate country code or region. > > H > -- >> servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open >> access >> servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open >> access >> servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access >> # >> >> >> I have not kept up with pool changes since then. >> >> *Apologies to Douglas Adams > > -- > Harlan Stenn, Network Time Foundation > http://nwtime.org - be a Member!
Harlan, That is good advice. Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client. The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type. Thank you. Jim - James R. Cutler james.cut...@consultant.com GPG keys: hkps://hkps.pool.sks-keyservers.net