Stuart Henderson <s...@spacehopper.org> wrote:
> On 2020-05-07, Marko Cupać <marko.cu...@mimar.rs> wrote: > > Hi, > > > > why not change default constraint server in ntpd.conf from current > > https://google.com to something more neutral / reputable? > > > > If https://www.openbsd.org does not want to be involved, perhaps > > https://www.ntp.org would be fine. > > Neither of those are good options. One or a few servers, IPv4 only, > only in North America, not peered with many ISPs, compared to a > large geolocated server front-end, v4+v6, within a few network > hops of much of the world, with people paid to keep it working, > and ISPs will quickly notice if their connectivity is down. > > The other default constraints server listed (quad9, hosted on > the very widely peered pch.net) is good for that too. > > What ntpd needs for a "constraints" server is a site that > will a) stay online as much as possible and b) is likely > enough to hand out something approximating the correct time, > that's all. > > I'm not a big fan of using google.com for this on my own systems so > I often just don't use it, but I can't argue that it's a bad choice > overall, and I don't have an idea for another site that is both > equally good and "more neutral". What it needs is someone who cannot afford to ever publish a certificate for HEAD which is untrue. Noone satisfies that condition as well as Google.
