Re: NTP question

[James R Cutler <james.cutler () consultant com>]

> On May 2, 2019, at 2:44 PM, Harlan Stenn <stenn () nwtime org> wrote:
>
>
>
> On 5/2/2019 9:13 AM, James R Cutler wrote:
> > > On May 2, 2019, at 10:59 AM, William Herrin <bill () herrin us
> > > <mailto:bill () herrin us>> wrote:
> > >
> > > On Wed, May 1, 2019 at 7:03 PM Harlan Stenn <stenn () nwtime org
> > > <mailto:stenn () nwtime org>> wrote:
> > >
> > >    It's not clear to me that there's anything *wrong* with using the
> > >    pool,
> > >    especially if you're using our 'pool' directive in your config file.
> > >
> > >
> > > The one time I relied on the pool I lost sync a year later when all
> > > three servers the configuration picked withdrew time services and the
> > > still-running ntp client didn't return to the names to find new ones.
> > > Wonderful if that's fixed now but the pool folks argued just as
> > > strongly for using it back then.
> > >
> > > Also, telling the security auditor that you have no idea who supplies
> > > your time source is pretty much a non-starter. You can convince them
> > > of a lot of things but you can't convince them it's OK to have no idea
> > > where critical services come from.
> > >
> > > That's what's wrong with the pool.
> > >
> > > Regards,
> > > Bill Herrin
> > >
> > >
> > > -- 
> > > William Herrin ................ herrin () dirtside com
> > > <mailto:herrin () dirtside com>  bill () herrin us <mailto:bill () herrin us>
> > > Dirtside Systems ......... Web: <http://www.dirtside.com/>
> >
> > I have only ever used the pool as a supplement to other servers. Here is
> > a snippet from ntp.conf that was found in the bottom of a locked filing
> > cabinet stuck in a disused lavatory with a sign on the door saying
> > 'Beware of the Leopard.’ *
> >
> >    #External Time Synchronization Source Servers
> >    #
> >    servertick.usno.navy.mil# open access
> >    servertime.apple.com <http://time.apple.com># open access
> >    serverTime1.Stupi.SE# open access
> >    serverntps1-0.uni-erlangen.de <http://ntps1-0.uni-erlangen.de># open
> >    access
> >    server0.pool.ntp.org <http://0.pool.ntp.org># open access
> >    server1.pool.ntp.org <http://1.pool.ntp.org># open access
> >    server2.pool.ntp.org <http://2.pool.ntp.org># open access
>
> I recommend you replace the above 3 lines with:
>
> pool CC.pool.ntp.org
>
> where CC is an appropriate country code or region.
>
> H
> --
> >    servernist1-nj2-ustiming.org <http://nist1-nj2-ustiming.org># open
> >    access
> >    servernist1-chi-ustiming.org <http://nist1-chi-ustiming.org># open
> >    access
> >    servernist1-pa-ustiming.org <http://nist1-pa-ustiming.org># open access
> >    #
> >
> >
> > I have not kept up with pool changes since then.
> >
> > *Apologies to Douglas Adams
>
> -- 
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!

Harlan,

That is good advice.  

Company($dayjob) no longer exists, but I will remember your advice next time I configure 4 or more Mac minis as an NTP 
peer group in my home office lab — I let the last configuration lapse as keeping up with Apple hardware and macOS 
changes was challenge enough and I no longer supported Network Time Services for any $dayjob or client.

The only other note is that, for Company($dayjob), I obtained explicit permission from each of a set of globally 
distributed time services (not shown above). I recommend that any new NTP peer group be configured with as diverse a 
set of servers as possible, not limited to just pool and not limited to a single connection type. 

Thank you.

        Jim
-
James R. Cutler
James.cutler () consultant com
GPG keys: hkps://hkps.pool.sks-keyservers.net