What is NTS (Network Time Security)?

NTS is a security extension for the NTP protocol, standardized by RFC 8915 in September 2020. It provides cryptographic authentication via TLS 1.3 and data integrity protection, ensuring that the time received actually comes from the expected server.

Why use NTS instead of standard NTP?

Standard NTP offers no authentication: an attacker can impersonate an NTP server or modify packets in transit (MITM attack). NTS protects against these attacks, which is critical for DNSSEC, TLS validation, TOTP authentication, and financial transactions.

Which NTP client supports NTS?

Chrony (v4.0+) is the recommended client. NTPsec and ntpd-rs (Rust implementation) also support NTS. Ubuntu 25.10+ will enable Chrony with NTS by default. Windows W32Time does not support NTS.

Is there an NTS pool like pool.ntp.org?

No, there is no functional NTS pool yet. The TLS certificates required by NTS prevent the traditional pooling mechanism. A project funded by ICANN (2025-2027) is working on a solution, but for now you must configure NTS servers individually.

NTS Enabled Across Our Entire Pool Secured

Q: How many NTS servers exist worldwide?

There are only about 60-70 public NTS servers worldwide, including 45-50 in Europe. That is 100 times fewer than the 3,735 NTP servers in the European pool. NTS infrastructure is still rare and in early adoption.

Q: How to ensure NTP compliance for MiFID II or PCI-DSS?

MiFID II requires UTC synchronization ≤ 100 µs for trading systems, and PCI-DSS requires NTP for log correlation. RDEM Systems offers a 1-day NTP/NTS audit: technical interview with your sysadmins, architecture analysis, and delivery of a compliance report with a remediation plan.

By Richard DEMONGEOT | January 16, 2026 | Reading time: 8 min

NTS shield protecting synchronized NTP servers — Network Time Security

A Now Secured NTP Infrastructure

Following over 20 years of contribution to the NTP pool,
NTS (Network Time Security) is now active across our entire pool.

Time synchronization is a critical component of any IT infrastructure. Until now, the NTP protocol transmitted time in plaintext and without authentication, exposing systems to potential attacks. With the activation of NTS on our infrastructure, your systems can now cryptographically verify that the time received actually comes from our servers.

Why Enable NTS Now?

NTS (Network Time Security), standardized by RFC 8915 in September 2020, represents a major evolution of the NTP protocol. Here is why now is the time to adopt this technology.

A Still Rare Infrastructure

There are only about 60 to 70 public NTS servers worldwide, including 45-50 in Europe. For comparison, the European NTP pool has 3,735 servers — NTS infrastructure is therefore 100 times rarer.

In France, NTS coverage is particularly low. By enabling NTS on our pool, RDEM Systems helps fill this gap and offers a reliable local alternative.

With our 11 NTS servers, we become a significant contributor among NTS time providers.

Adoption Is Accelerating

Ubuntu 25.10+

Chrony with NTS enabled by default — a major inflection point for adoption.

PTB Germany (2026)

The German metrology institute is dropping its paid authenticated NTP service in favor of free NTS.

Let's Encrypt (2024)

Deployment of ntpd-rs (Rust) funded by ISRG/Prossimo for their critical infrastructure.

ICANN (2025-2027)

Funding the development of an NTS pool by the Trifecta Tech Foundation.

Technical and Operational Benefits

Benefit	Impact
DNSSEC Validation	DNSSEC depends on accurate time to validate signatures. Manipulated time can compromise the entire DNS chain.
TLS/SSL Certificates	Incorrect time can cause acceptance of expired or not-yet-valid certificates, opening the door to attacks.
2FA Authentication (TOTP)	One-time tokens (Google Authenticator, etc.) depend on time synchronized to +/- 30 seconds. Learn more →
Financial Transactions	Trading systems, payments, and auditing require reliable and tamper-proof timestamping.
Logs and Compliance	Compromised time invalidates audit logs, which is problematic for GDPR, PCI-DSS, SOC2.

Security Risks Without NTS

The NTP protocol, designed in the 1980s, includes no native security mechanism. NTP packets travel over UDP without encryption or authentication, exposing systems to several well-documented attack types:

Standard NTP (Unsecured)

Plaintext packets on the network
No server authentication
Vulnerable to MITM attacks
Server impersonation possible
Time manipulation in transit

NTP with NTS (Secured)

Key exchange via TLS 1.3
Cryptographic authentication
Protection against MITM
Server identity verification
Guaranteed data integrity

How Does NTS Work?

NTS (Network Time Security) is defined by RFC 8915. The protocol operates in two phases:

Establishment Phase (NTS-KE): The client establishes a TLS 1.3 connection with the server on port 4460. They exchange encrypted cookies that will be used to authenticate subsequent NTP exchanges.
Synchronization Phase: Standard NTP requests (port 123) now include cryptographic extensions. Each response is authenticated using the cookies negotiated previously.

Our Available NTS Servers

Our entire NTP pool now supports NTS. You can use any of these servers for secure synchronization. All TLDs are valid: .com, .fr, .eu, .net, .org, .be, .biz, .info.

Individual Servers (Stratum 2)

ntp-1.rdem-systems.com

ntp-2.rdem-systems.com

ntp-3.rdem-systems.com

ntp-4.rdem-systems.com

ntp-5.rdem-systems.com

ntp-6.rdem-systems.com

ntp-7.rdem-systems.com

ntp-8.rdem-systems.com

ntp-9.rdem-systems.com

ntp-10.rdem-systems.com

ntp-11.rdem-systems.com

Pool Entries (Load-Balanced)

ntp-pool.rdem-systems.com

pa3.ntp-pool.rdem-systems.com

pa4.ntp-pool.rdem-systems.com

pa5.ntp-pool.rdem-systems.com

Tip
For a simple and resilient configuration, use ntp-pool.rdem-systems.com which automatically distributes requests across our entire infrastructure.

Configure Your NTS Client

Chrony is the recommended NTP client for using NTS. It is available on most modern Linux distributions and natively supports NTS since version 4.0.

Chrony Configuration with NTS

Edit your /etc/chrony/chrony.conf (or /etc/chrony.conf) file:

# /etc/chrony/chrony.conf - NTS RDEM Systems Configuration

# NTS RDEM Systems servers (secured)
# You can mix TLDs: .com, .fr, .eu, .net, .org, .be, .biz, .info
server ntp-pool.rdem-systems.com iburst nts
server ntp-1.rdem-systems.fr iburst nts
server ntp-2.rdem-systems.eu iburst nts
server ntp-3.rdem-systems.net iburst nts

# Drift file
driftfile /var/lib/chrony/drift

# Allow significant updates at startup
makestep 1.0 3

# Enable real-time clock sync
rtcsync

# Logging
logdir /var/log/chrony

Installation and Restart

# Install Chrony (Debian/Ubuntu)
sudo apt update && sudo apt install chrony

# Or on RHEL/CentOS/Fedora
sudo dnf install chrony

# Restart the service
sudo systemctl restart chronyd

# Check the status
sudo systemctl status chronyd

Verify That NTS Is Working

After configuring Chrony with NTS, verify that authentication is working correctly:

chronyc sources Command

sudo chronyc -N sources

You should see your sources with the N flag indicating that NTS is active:

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp-pool.rdem-systems.c>     2   6   377    23   -145us[ -201us] +/-   12ms
^+ ntp-1.rdem-systems.com       2   6   377    24   +234us[ +178us] +/-   15ms
^+ ntp-2.rdem-systems.com       2   6   377    25   -89us[ -145us] +/-   14ms

Check NTS Status

sudo chronyc -N authdata

This command displays the NTS authentication details for each source:

Name/IP address         Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp-pool.rdem-systems.c> NTS     1   15  256  23m    0    0    8  100
ntp-1.rdem-systems.com   NTS     1   15  256  24m    0    0    8  100
ntp-2.rdem-systems.com   NTS     1   15  256  25m    0    0    8  100

Indicators of Proper Operation

Mode = NTS: NTS authentication is active
NAK = 0: No authentication rejections
Cook > 0: Cookies are available for future requests
KeyID and KLen: Session key successfully established

Frequently Asked Questions

Does NTS work with ntpd?

No, the standard ntpd daemon does not support NTS. You must use Chrony (recommended), NTPsec, or ntpd-rs (Rust) to benefit from NTS. Windows W32Time does not support NTS either.

What is the performance impact?

The impact is negligible. The TLS negotiation only occurs at startup and during cookie renewal (approximately every hour). Regular NTP exchanges add only ~100 bytes for authentication.

Can I mix NTS and standard NTP?

Yes, Chrony can simultaneously use NTS sources and standard NTP sources. However, for optimal security, prefer NTS sources.

What happens if NTS fails?

By default, if NTS cannot be established, Chrony will not use the affected source. This is secure behavior: it is better not to synchronize than to synchronize without authentication.

How many NTS servers exist worldwide?

Only 60 to 70 public NTS servers exist globally, including about 45-50 in Europe. The institutional leaders are Netnod (Sweden, 12+ servers), PTB (Germany, 4 servers), and SIDN Labs (Netherlands). France is underrepresented, which motivates our commitment.

Why is there no NTS pool like pool.ntp.org?

The traditional pooling mechanism is incompatible with NTS because each server requires its own TLS certificate. A project funded by ICANN (2025-2027) is working on a solution, but for now, NTS servers must be configured individually.

Which operating systems support NTS by default?

Ubuntu 25.10+ will enable Chrony with NTS by default — a major turning point. RHEL/Fedora and SUSE document NTS configuration. Most modern Linux distributions allow easy NTS activation with Chrony.

Can NTP/NTS management be outsourced?

Yes. RDEM Systems provides 24/7 managed services and on-call support for servers — including NTP/NTS time synchronization, drift monitoring, and Chrony configuration maintenance. Ideal for IT departments that need reliable timestamping without dedicating an internal team.

How to ensure NTP compliance for MiFID II or PCI-DSS?

MiFID II requires UTC synchronization ≤ 100 μs for trading systems, and PCI-DSS requires NTP for log correlation. RDEM Systems offers a 1-day NTP/NTS audit: technical interview with your sysadmins, architecture analysis (sources, strata, redundancy, SPOF), and delivery of a compliance report with a remediation plan. Contact us →

Check the NTS compatibility of your server with the tester ntp-tester.eu/nts

Going further

French time infrastructure sovereignty — AS206014 architecture, Paris datacenters, RGS / NIS2 / MiFID II compliance.
RDEM's historical infrastructure since 2005 — why the NTS deployment here builds on 20+ years of continuous NTP operation.
Hear the time live on the speaking clock — a phone-based, public showcase of the same Stratum 1 reference you query over NTS.

Free NTP Tools

Three independent tools to diagnose your time synchronization: