What is NTS (Network Time Security)?

NTS is a security extension for the NTP protocol, standardized in RFC 8915. It uses TLS 1.3 to authenticate NTP servers and protect time data from tampering, preventing man-in-the-middle attacks on time synchronization.

How many public NTS servers exist worldwide?

As of 2026, only 60 to 70 public NTS servers exist worldwide, compared to over 3,700 NTP servers in the European pool alone. NTS infrastructure is still rare and in early adoption.

Which NTP client supports NTS?

Chrony (v4.0+) is the recommended NTS-capable client. NTPsec and ntpd-rs (Rust implementation) also support NTS. Ubuntu 25.10+ enables Chrony with NTS by default. Windows W32Time does not support NTS.

NTS (Network Time Security) | Is Your NTP Secure?

The Problem with Classic NTP

Every NTP packet you exchange travels unencrypted and unauthenticated across the network. Your system has no way to verify that the time it receives actually comes from the server it requested.

Classic NTP

Packets sent in cleartext
No server authentication
Vulnerable to MITM attacks
Server spoofing possible
Time can be altered in transit

NTP with NTS

Key exchange via TLS 1.3
Cryptographic authentication
MITM protection
Server identity verified
Data integrity guaranteed

Why should you care?

A manipulated clock can have serious consequences:

TLS/SSL certificates — wrong time can make expired certificates appear valid
2FA tokens (TOTP) — Google Authenticator, Authy, etc. depend on accurate time within 30 seconds
DNSSEC validation — signature checks rely on correct timestamps
Logs & compliance — corrupted timestamps break audit trails (GDPR, PCI-DSS, SOC2)
Financial transactions — trading and payment systems require tamper-proof timestamps

How NTS Works (RFC 8915)

NTS adds cryptographic authentication to NTP in two simple phases:

Phase 1: Key Exchange (NTS-KE)

Your client establishes a TLS 1.3 connection with the NTS server on port 4460. During this handshake, the server's identity is verified via its TLS certificate, and encrypted cookies are exchanged for future use.

Phase 2: Authenticated Sync

Regular NTP queries (port 123/UDP) now include cryptographic extensions. Each response is authenticated using the cookies negotiated in Phase 1. No additional TLS connection is needed.

Minimal performance impact

The TLS handshake only occurs at startup and during cookie renewal (approximately once per hour). Regular NTP exchanges add only ~100 bytes for authentication. Your sync accuracy is not affected.

Who Needs NTS?

Use Case	Risk Without NTS	Priority
PKI / Certificate Authorities	Forged timestamps can bypass certificate expiry	Critical
Financial / Trading systems	Regulatory non-compliance, invalid audit trails	Critical
DNSSEC infrastructure	Signature validation failure from time manipulation	Critical
Authentication (TOTP/2FA)	Token rejection or replay attacks	High
Log aggregation / SIEM	Event ordering corruption across systems	High
General infrastructure	Reduced trust in time data	Recommended

Public NTS Servers Worldwide

NTS is still rare. As of 2026, the global landscape looks like this:

~65 Public NTS servers worldwide

~50 Located in Europe

3,735 Classic NTP servers (EU pool)

~2% NTS adoption rate

Notable NTS Providers

Provider	Hostname	Location	Stratum
RDEM Systems	`ntp-pool.rdem-systems.com`	France & Germany	2
Netnod	`nts.netnod.se`	Sweden	1
PTB	`ptbtime1.ptb.de`	Germany	1
Cloudflare	`time.cloudflare.com`	Anycast (Global)	3
SIDN Labs	`nts.time.nl`	Netherlands	1
NTP Pool (Trifecta)	`ntppool-nts.time.nl`	Netherlands	2

Community reference list

A comprehensive list of public NTS servers is maintained at github.com/jauderho/nts-servers.

NTS pools are rare

Unlike classic NTP, TLS certificates make traditional pooling difficult. Most providers require individual server configuration. RDEM Systems operates one of the few NTS-compatible pools via ntp-pool.rdem-systems.com, load-balancing across its NTS infrastructure. An ICANN-funded project (2025-2027) by the Trifecta Tech Foundation is also working on a broader solution.

Enable NTS in 2 Minutes

Chrony (v4.0+) is the recommended NTS-capable client. It's available on most modern Linux distributions.

1. Install Chrony

# Debian / Ubuntu
sudo apt update && sudo apt install chrony

# RHEL / Fedora / CentOS
sudo dnf install chrony

2. Configure NTS servers

Edit /etc/chrony/chrony.conf (or /etc/chrony.conf):

# /etc/chrony/chrony.conf - NTS configuration

# NTS-secured servers
server ntp-pool.rdem-systems.com iburst nts  # France - Stratum 1&2
server nts.netnod.se iburst nts              # Sweden - Stratum 1
server ptbtime1.ptb.de iburst nts            # Germany - Stratum 1
server time.cloudflare.com iburst nts        # Anycast - Stratum 3

# Drift file
driftfile /var/lib/chrony/drift

# Allow large correction at startup
makestep 1.0 3

# Real-time clock sync
rtcsync

3. Restart and verify

# Restart Chrony
sudo systemctl restart chronyd

# Check NTS authentication status
sudo chronyc -N authdata

Expected output

Look for Mode: NTS and NAK: 0 (no authentication failures):

Name/IP address         Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp-pool.rdem-systems.c> NTS     1   15  256  23m    0    0    8  100
nts.netnod.se            NTS     1   15  256  24m    0    0    8  100
ptbtime1.ptb.de          NTS     1   15  256  25m    0    0    8  100

Client compatibility

Chrony 4.0+ (recommended), NTPsec, and ntpd-rs (Rust) support NTS. The classic ntpd and Windows W32Time do not support NTS. Ubuntu 25.10+ ships with Chrony NTS enabled by default.

Verify NTS is Working

Check your sources

# List time sources
sudo chronyc -N sources

# Expected: sources should show synchronized status
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp-pool.rdem-systems.c>     2   6   377    23   -145us[ -201us] +/-   12ms
^+ nts.netnod.se                1   6   377    24   +234us[ +178us] +/-   15ms

Verify authentication details

# Detailed NTS status
sudo chronyc -N authdata

NTS Health Checklist

Mode = NTS — authentication is active
NAK = 0 — no rejected authentications
Cook > 0 — cookies available for future queries
Reach = 377 — server consistently reachable

Frequently Asked Questions

What happens if NTS negotiation fails?

By default, Chrony will not use a source if NTS cannot be established. This is the secure behavior: it's better to skip a source than to sync unauthenticated.

Can I mix NTS and classic NTP sources?

Yes. Chrony can use both simultaneously. However, for maximum security, prefer NTS sources for all your time servers.

Does NTS affect sync accuracy?

No. NTS adds authentication, not latency to the time measurement itself. The TLS handshake only occurs during key exchange (at startup and approximately once per hour), not during regular NTP queries.

Is there a pool for NTS servers?

Traditional pooling is difficult with NTS because TLS certificates are tied to specific hostnames. However, some providers like RDEM Systems operate NTS-compatible pools using load-balanced endpoints. For most other providers, you need to configure specific server addresses.

Need Production-Grade NTS?

RDEM Systems operates a pool of NTS Stratum 2 servers distributed across multiple autonomous systems, including its own network (AS206014). Upstream Stratum 1 sources use GNSS/PPS for maximum accuracy.

Test Your NTP Now RDEM NTS Infrastructure

A service by RDEM Systems · See also: NTP diagnostic tool