nanog mailing list archives
Re: NTP question
From: James R Cutler <james.cutler () consultant com>
Date: Thu, 2 May 2019 15:07:41 -0400
On May 2, 2019, at 2:44 PM, Harlan Stenn <stenn () nwtime org> wrote: On 5/2/2019 9:13 AM, James R Cutler wrote:On May 2, 2019, at 10:59 AM, William Herrin <bill () herrin us <mailto:bill () herrin us>> wrote: On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn () nwtime org <mailto:stenn () nwtime org>> wrote: It's not clear to me that there's anything *wrong* with using the pool, especially if you're using our 'pool' directive in your config file. The one time I relied on the pool I lost sync a year later when all three servers the configuration picked withdrew time services and the still-running ntp client didn't return to the names to find new ones. Wonderful if that's fixed now but the pool folks argued just as strongly for using it back then. Also, telling the security auditor that you have no idea who supplies your time source is pretty much a non-starter. You can convince them of a lot of things but you can't convince them it's OK to have no idea where critical services come from. That's what's wrong with the pool. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com <mailto:herrin () dirtside com> bill () herrin us <mailto:bill () herrin us> Dirtside Systems ......... Web: <http://www.dirtside.com/>I have only ever used the pool as a supplement to other servers. Here is a snippet from ntp.conf that was found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.’ * #External Time Synchronization Source Servers # servertick.usno.navy.mil# open access servertime.apple.com <http://time.apple.com># open access serverTime1.Stupi.SE# open access serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open access server0.pool.ntp.org <http://0.pool.ntp.org># open access server1.pool.ntp.org <http://1.pool.ntp.org># open access server2.pool.ntp.org <http://2.pool.ntp.org># open accessI recommend you replace the above 3 lines with: pool CC.pool.ntp.org where CC is an appropriate country code or region. H --servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open access servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open access servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access # I have not kept up with pool changes since then. *Apologies to Douglas Adams-- Harlan Stenn, Network Time Foundation http://nwtime.org - be a Member!
Harlan, That is good advice. Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client. The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a set of servers as possible, not limited to just pool and not limited to a single connection type. Thank you. Jim - James R. Cutler James.cutler () consultant com GPG keys: hkps://hkps.pool.sks-keyservers.net
Current thread:
- Re: NTP question, (continued)
- Re: NTP question Rubens Kuhl (May 01)
- RE: NTP question Keith Medcalf (May 01)
- Re: NTP question Harlan Stenn (May 01)
- Re: NTP question Stephen Satchell (May 01)
- Re: NTP question Mel Beckman (May 01)
- Re: NTP question Harlan Stenn (May 01)
- Re: NTP question William Herrin (May 02)
- Re: NTP question Chris Adams (May 02)
- Re: NTP question James R Cutler (May 02)
- Re: NTP question Harlan Stenn (May 02)
- Re: NTP question James R Cutler (May 02)
- Re: NTP question Harlan Stenn (May 02)
- Re: NTP question Eric S. Raymond (May 06)
- Re: NTP question Mel Beckman (May 01)
- Re: NTP question Mike Hammett (May 01)
- Re: NTP question Brielle Bruns (May 01)
- Re: NTP question Carsten Bormann (May 01)
- Building Integrated Timing System (was Re: NTP question) Sean Donelan (May 02)
- Re: NTP question Eric S. Raymond (May 06)