What is NTS (Network Time Security)?

NTS is a security extension for the NTP protocol, standardized by RFC 8915 in September 2020. It provides cryptographic authentication via TLS 1.3 and data integrity protection, ensuring that the time received actually comes from the expected server.

Why use NTS instead of standard NTP?

Standard NTP offers no authentication: an attacker can impersonate an NTP server or modify packets in transit (MITM attack). NTS protects against these attacks, which is critical for DNSSEC, TLS validation, TOTP authentication, and financial transactions.

Which NTP client supports NTS?

Chrony (v4.0+) is the recommended client. NTPsec and ntpd-rs (Rust implementation) also support NTS. Ubuntu 25.10+ will enable Chrony with NTS by default. Windows W32Time does not support NTS.

Is there an NTS pool like pool.ntp.org?

No, there is no functional NTS pool yet. The TLS certificates required by NTS prevent the traditional pooling mechanism. A project funded by ICANN (2025-2027) is working on a solution, but for now you must configure NTS servers individually.

NTS Enabled Across Our Entire Pool Secured

Q: How many NTS servers exist worldwide?

There are only about 60-70 public NTS servers worldwide, including 45-50 in Europe. That is 100 times fewer than the 3,735 NTP servers in the European pool. NTS infrastructure is still rare and in early adoption.

By Richard DEMONGEOT | January 16, 2026 | Reading time: 8 min

A Now Secured NTP Infrastructure

Following nearly 20 years of contribution to the NTP pool,
NTS (Network Time Security) is now active across our entire pool.

Time synchronization is a critical component of any IT infrastructure. Until now, the NTP protocol transmitted time in plaintext and without authentication, exposing systems to potential attacks. With the activation of NTS on our infrastructure, your systems can now cryptographically verify that the time received actually comes from our servers.

End-to-End Security
In addition to NTS, DNSSEC is enabled across all our TLDs that support it (.biz, .com, .eu, .fr, .info, .net, .org). The chain of trust is thus complete: DNS resolution authenticated by DNSSEC, then time synchronization authenticated by NTS.

Table of Contents

Why enable NTS now?
Security risks without NTS
Our available NTS servers
Configure your NTS client
Verify that NTS is working
Frequently asked questions

Why Enable NTS Now?

NTS (Network Time Security), standardized by RFC 8915 in September 2020, represents a major evolution of the NTP protocol. Here is why now is the time to adopt this technology.

A Still Rare Infrastructure

There are only about 60 to 70 public NTS servers worldwide, including 45-50 in Europe. For comparison, the European NTP pool has 3,735 servers — NTS infrastructure is therefore 100 times rarer.

In France, NTS coverage is particularly low. By enabling NTS on our pool, RDEM Systems helps fill this gap and offers a reliable local alternative.

With our 11 NTS servers, we become a significant contributor among NTS time providers.

Adoption Is Accelerating

Ubuntu 25.10+

Chrony with NTS enabled by default — a major inflection point for adoption.

PTB Germany (2026)

The German metrology institute is dropping its paid authenticated NTP service in favor of free NTS.

Let's Encrypt (2024)

Deployment of ntpd-rs (Rust) funded by ISRG/Prossimo for their critical infrastructure.

ICANN (2025-2027)

Funding the development of an NTS pool by the Trifecta Tech Foundation.

No NTS Pool (Yet)
Unlike the standard pool.ntp.org, there is no functional NTS pool yet. The TLS certificates required by NTS make the traditional pooling mechanism impossible. That is why you need to configure specific NTS servers — and that is exactly what we offer.

Technical and Operational Benefits

Benefit	Impact
DNSSEC Validation	DNSSEC depends on accurate time to validate signatures. Manipulated time can compromise the entire DNS chain.
TLS/SSL Certificates	Incorrect time can cause acceptance of expired or not-yet-valid certificates, opening the door to attacks.
2FA Authentication (TOTP)	One-time tokens (Google Authenticator, etc.) depend on time synchronized to +/- 30 seconds. Learn more →
Financial Transactions	Trading systems, payments, and auditing require reliable and tamper-proof timestamping.
Logs and Compliance	Compromised time invalidates audit logs, which is problematic for GDPR, PCI-DSS, SOC2.

Security Risks Without NTS

The NTP protocol, designed in the 1980s, includes no native security mechanism. NTP packets travel over UDP without encryption or authentication, exposing systems to several well-documented attack types:

Standard NTP (Unsecured)

Plaintext packets on the network
No server authentication
Vulnerable to MITM attacks
Server impersonation possible
Time manipulation in transit

NTP with NTS (Secured)

Key exchange via TLS 1.3
Cryptographic authentication
Protection against MITM
Server identity verification
Guaranteed data integrity

The risks of unsecured time
An attack on time synchronization can have serious consequences:

TLS Certificates: Manipulated time can cause acceptance of expired or not-yet-valid certificates
Authentication: TOTP tokens (2FA) depend on accurate time
Logs and Audit: Incorrect timestamps compromise traceability
Transactions: Financial systems depend on reliable time

How Does NTS Work?

NTS (Network Time Security) is defined by RFC 8915. The protocol operates in two phases:

Establishment Phase (NTS-KE): The client establishes a TLS 1.3 connection with the server on port 4460. They exchange encrypted cookies that will be used to authenticate subsequent NTP exchanges.
Synchronization Phase: Standard NTP requests (port 123) now include cryptographic extensions. Each response is authenticated using the cookies negotiated previously.

Performance
The performance impact is minimal. The TLS phase only occurs at startup and during cookie renewal (approximately every hour). The NTP exchanges themselves remain over UDP with only a few additional bytes for authentication.

Our Available NTS Servers

Our entire NTP pool now supports NTS. You can use any of these servers for secure synchronization. All TLDs are valid: .com, .fr, .eu, .net, .org, .be, .biz, .info.

Dual-Stack IPv4 + IPv6
All our NTS servers are accessible over IPv4 and IPv6. Your client will automatically select the appropriate protocol based on your network connectivity.

Individual Servers (Stratum 2)

ntp-1.rdem-systems.com

ntp-2.rdem-systems.com

ntp-3.rdem-systems.com

ntp-4.rdem-systems.com

ntp-5.rdem-systems.com

ntp-6.rdem-systems.com

ntp-7.rdem-systems.com

ntp-8.rdem-systems.com

ntp-9.rdem-systems.com

ntp-10.rdem-systems.com

ntp-11.rdem-systems.com

Pool Entries (Load-Balanced)

ntp-pool.rdem-systems.com

pa3.ntp-pool.rdem-systems.com

pa4.ntp-pool.rdem-systems.com

pa5.ntp-pool.rdem-systems.com

Tip
For a simple and resilient configuration, use ntp-pool.rdem-systems.com which automatically distributes requests across our entire infrastructure.

Listed in the Global NTS Community
Our servers are listed in the community repository github.com/jauderho/nts-servers, the reference for public NTS servers worldwide. Also check our NTP Pool score to verify the absence of time deviation on our infrastructure.

Configure Your NTS Client

Chrony is the recommended NTP client for using NTS. It is available on most modern Linux distributions and natively supports NTS since version 4.0.

Chrony Configuration with NTS

Edit your /etc/chrony/chrony.conf (or /etc/chrony.conf) file:

# /etc/chrony/chrony.conf - NTS RDEM Systems Configuration

# NTS RDEM Systems servers (secured)
# You can mix TLDs: .com, .fr, .eu, .net, .org, .be, .biz, .info
server ntp-pool.rdem-systems.com iburst nts
server ntp-1.rdem-systems.fr iburst nts
server ntp-2.rdem-systems.eu iburst nts
server ntp-3.rdem-systems.net iburst nts

# Drift file
driftfile /var/lib/chrony/drift

# Allow significant updates at startup
makestep 1.0 3

# Enable real-time clock sync
rtcsync

# Logging
logdir /var/log/chrony

Installation and Restart

# Install Chrony (Debian/Ubuntu)
sudo apt update && sudo apt install chrony

# Or on RHEL/CentOS/Fedora
sudo dnf install chrony

# Restart the service
sudo systemctl restart chronyd

# Check the status
sudo systemctl status chronyd

Verify That NTS Is Working

After configuring Chrony with NTS, verify that authentication is working correctly:

chronyc sources Command

sudo chronyc -N sources

You should see your sources with the N flag indicating that NTS is active:

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp-pool.rdem-systems.c>     2   6   377    23   -145us[ -201us] +/-   12ms
^+ ntp-1.rdem-systems.com       2   6   377    24   +234us[ +178us] +/-   15ms
^+ ntp-2.rdem-systems.com       2   6   377    25   -89us[ -145us] +/-   14ms

Check NTS Status

sudo chronyc -N authdata

This command displays the NTS authentication details for each source:

Name/IP address         Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp-pool.rdem-systems.c> NTS     1   15  256  23m    0    0    8  100
ntp-1.rdem-systems.com   NTS     1   15  256  24m    0    0    8  100
ntp-2.rdem-systems.com   NTS     1   15  256  25m    0    0    8  100

Indicators of Proper Operation

Mode = NTS: NTS authentication is active
NAK = 0: No authentication rejections
Cook > 0: Cookies are available for future requests
KeyID and KLen: Session key successfully established

Frequently Asked Questions

Does NTS work with ntpd?

No, the standard ntpd daemon does not support NTS. You must use Chrony (recommended), NTPsec, or ntpd-rs (Rust) to benefit from NTS. Windows W32Time does not support NTS either.

What is the performance impact?

The impact is negligible. The TLS negotiation only occurs at startup and during cookie renewal (approximately every hour). Regular NTP exchanges add only ~100 bytes for authentication.

Can I mix NTS and standard NTP?

Yes, Chrony can simultaneously use NTS sources and standard NTP sources. However, for optimal security, prefer NTS sources.

What happens if NTS fails?

By default, if NTS cannot be established, Chrony will not use the affected source. This is secure behavior: it is better not to synchronize than to synchronize without authentication.

How many NTS servers exist worldwide?

Only 60 to 70 public NTS servers exist globally, including about 45-50 in Europe. The institutional leaders are Netnod (Sweden, 12+ servers), PTB (Germany, 4 servers), and SIDN Labs (Netherlands). France is underrepresented, which motivates our commitment.

Why is there no NTS pool like pool.ntp.org?

The traditional pooling mechanism is incompatible with NTS because each server requires its own TLS certificate. A project funded by ICANN (2025-2027) is working on a solution, but for now, NTS servers must be configured individually.

Which operating systems support NTS by default?

Ubuntu 25.10+ will enable Chrony with NTS by default — a major turning point. RHEL/Fedora and SUSE document NTS configuration. Most modern Linux distributions allow easy NTS activation with Chrony.

Check the NTS compatibility of your server with the tester ntp-tester.eu/nts

Test Your Synchronization

Verify that your system is correctly synchronized with our infrastructure.

Test Now

Back to Home | Our Stratum 1 Server | Our NTP Pool Score