[Vosporos]

One (amongst many) NTP server going down creates less issues than an NTP server spreading wrong time.

[macintux]

General rule of thumb: a misbehaving/slow server in any well-architected distributed system is vastly worse than a dead server.

[xeonmc]

i.e. a gaslighting husband is vastly worse than a dead husband.

[PunchyHamster]

technically if you have 3 or more sources that would be caught; NTP protocol was designed for that eventuality

[throw0101c]

> technically if you have 3 or more sources that would be caught; NTP protocol was designed for that eventuality

Either go with one clock in your NTPd/Chrony configuration, or ≥4.

Yes, if you have 3 they can triangulate, but if one goes offline now you have 2 with no tie-breaker. If you have (at least) 4 servers, then one can go away and triangulation / sanity-checking can still occur with the 3 remaining.

[ufocia]

Your probably meant trilaterate.

[da_chicken]

Sure, but not needing a failure to cascade to yet another failsafe is still a good idea. After all, all software has bugs, and all networks have configuration errors.