Time servers in Europe: who actually runs NTS?

By Richard DEMONGEOT · 12 July 2026 · Original measurement · Last probe: 12 July 2026

Everyone copies lists of time servers. Nobody measures them. We probed 231 European sources from six different networks, and verified the one thing documentation asserts without proving: who actually serves NTS, the authenticated flavour of NTP (RFC 8915).

The result is harsh. Across the 28 European countries covered, 13 serve NTS. The other 15 serve none at all: Croatia, Estonia, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Norway, Poland, Portugal, Romania, Serbia.

231
sources probed
79
confirmed NTS endpoints
15
countries with no NTS
6
observation networks

The method, because it changes the result

An open port 4460 proves nothing. That is the mistake most inventories make.

A negotiated ntske/1 ALPN proves nothing either. That was ours, until we fixed it. There are three states, not two:

  • Usable NTSALPN ntske/1 negotiated and a certificate valid for the name queried. The only case a conforming client can actually use.
  • Unusable NTS — the NTS-KE server listens, ALPN passes, but the certificate is issued for a different name. RFC 8915 mandates validation: chrony and ntpsec refuse. Functionally, there is no NTS.
  • No NTS — port closed, silent, or no NTS-KE.

The stratum is measured (SNTP v4), not copied. IPv6 only counts when it answers: publishing an AAAA record is not enough.

What that requirement uncovered: ntp.switch.ch

The Swiss national research network does make the NTS effort — which almost the entire continent does not. Its NTS-KE server listens, and its Let's Encrypt certificate chains perfectly. But it is issued for swice-nts1.switch.ch, not for ntp.switch.ch, the name the documentation publishes. A conforming client fails hostname validation.

This is neither a lie nor an oversight: it is an operational error, and it is invisible to any test that skips certificate validation. The real endpoint, swice-nts1.switch.ch, works: stratum 1, NTS, valid certificate. Switzerland does have NTS — under a name nobody publishes.

Six vantage points, six autonomous systems

A measurement from a single network lies: an access list, a rate limit or a geographic restriction produces a false negative. So we probed from six distinct ASes:

Five of those six networks are not ours. AS206014 is the only one we operate. The other five belong to third parties we do not control: our office ISP (Free), three transit providers (Arelion, IELO, IPSET) and one host (Contabo). A measurement taken only from one's own network would prove very little; it is the convergence of six independent networks that makes the figure defensible.

All six networks return exactly the same NTS result: 79 endpoints, without a single disagreement. That convergence is what makes the figure solid — it is not an artefact of where we stand.

NTS in Europe, country by country

CountryNTS endpointsReachableIn the poolWho serves NTS
Germany1828 / 29541FAU, FAU Erlangen-Nur, Hetzner Online, Jörg Mo
France1341 / 56226Hubert Viarouge, RDEM Systems, System76
Sweden1216 / 2963Netnod
Netherlands915 / 15201Nothing to hide, Rick Betting, SIDN Labs, SIDN
Switzerland713 / 17101Adrian Zaugg, Martino Dell'Amb, SWITCH, Ueli H
United Kingdom79 / 9250Hal Murray, Terry Burton, University of Ca
Slovenia46 / 6chrony.eu
Austria35 / 6BEV, University of Vi
Belgium14 / 4Team Belgium
Czech Republic13 / 4Jiří Činčura
Denmark12 / 2DFM
Finland14 / 6miuku.net
Spain13 / 4ROA
Croatianone0 / 2
Estonianone2 / 2
Greecenone1 / 2
Hungarynone0 / 1
Icelandnone2 / 2
Irelandnone2 / 2
Italynone4 / 438
Latvianone1 / 1
Lithuanianone1 / 1
Luxembourgnone2 / 2
Norwaynone5 / 5
Polandnone3 / 3
Portugalnone1 / 4
Romanianone0 / 2
Serbianone1 / 1

What the documentation does not tell you

Confronting the declared with the measured, 9 endpoints show a documentation/measurement gap — in both directions:

The last two cases are the troubling ones: an operator advertising NTS without serving it leaves its users believing their time chain is authenticated when it is not. The first four are the opposite — working NTS that nobody knows how to use, for lack of documentation.

The NTP pool: 2,391 servers, and not one of them can serve NTS

One objection forms immediately: "you missed 226 French servers." We did not — we excluded them deliberately, and for a reason that is not an admission of weakness but an architectural fact.

The pool cannot serve NTS — not through negligence, but by construction. The pool rests on the premise that anyone can contribute without being audited. NTS rests on the premise that the client can cryptographically verify who it is talking to. In the pool's current open-DNS model, the two cannot coexist.

One will rightly object that RFC 8915 §4.1.7 explicitly allows an NTS-KE key server to redirect the client to a time server other than itself. A central nts.pool.ntp.org, run by the project and carrying a perfectly valid certificate, could therefore hand out cookies and then point to any machine in the pool. The certificate problem is circumventable.

But the time server being redirected to must be able to decrypt the cookie — so it must share the cookie encryption key with the key server. The RFC leaves that sharing out of scope and devotes a dedicated security section to it (§8.2, Cookie Encryption Key Compromise). Distributing that key to the ~2,400 volunteer operators of the European pool would give every one of them the power to forge valid cookies, and therefore to impersonate all the others. NTS would lose the very property it exists for: knowing who you are talking to.

This is not a flaw in the pool, and it is not a flaw in NTS: it is an architectural choice, and you have to pick. The pool gives you volume; it cannot give you trust.

The nuance not to miss: what cannot do NTS is the pool entry, not the machine behind it. Some of those machines do serve NTS under their own name, with their own certificate — ours, for instance, which are in the pool and serve NTS. That is the only way to have both, and it is exactly what this register lists. Saying "no pool server does NTS" would be false.

The pool provides volume: 2,391 servers in Europe, 226 in France, 541 in Germany (read from ntppool.org on 12 July 2026). But it makes them anonymous and interchangeable — that is its strength for availability, and it is exactly what forecloses NTS.

The pool measures a quantity; this register measures a chain of trust. We list only servers you can name, verify and hold accountable. They are the only ones on which a compliance claim can rest.

And France?

No French institutional source serves NTS. Not the Paris Observatory, which nonetheless holds the national UTC(OP) realisation. Not Renater, whose stratum 1 server is very much alive. Not any of the universities we probed.

The only French operators serving NTS are private, and there are three: RDEM Systems (12 servers), System76 (one Paris node) and Hubert Viarouge (one server). Compare that with Germany, where the national metrology institute itself — the PTB — serves NTS on four servers, over IPv6.

Zoom in on France: the French NTP and NTS servers: the full detail — the fr.pool.ntp.org pool, institutional stratum 1 servers, academic hosts, hyperscalers, and the servers that vanished since the last campaign — has its own page, re-measured with every probe.

Sources and credits

This register did not start from nothing. It aggregates, verifies and measures existing sources — and it owes them a citation.

What we add is the measurement — not the compilation. Every endpoint from those sources was probed from six networks, with certificate validation. The published CSV carries a verification column stating, line by line, where the entry came from and when it was measured.

This register is incomplete. Help us.

Building this inventory is a considerable amount of work, and we will not pretend it is finished. Every country means tracking down its metrology institute, its research network, its operators — then checking that the published names still exist. Many no longer do.

What we have not covered, and will not pretend to know:

  • Central and Eastern Europe — Poland, Romania, Hungary, Slovakia, Croatia and the Baltics are only partially probed. When we write that one of these countries serves no NTS, it means "none of the sources we found serves it" — not "there are none". It is a known gap, not a measured fact.
  • Cyprus and Malta expose, as far as we know, no public time source at all. If that is wrong, tell us.

Two findings not to mistake for omissions: GARR (the Italian research network) and DFN (the German one) publish no public NTP server — we tested 12 and 6 name variants, all non-existent. They are not time providers, they are transit networks. Their absence from this table is a fact, not a gap.

Which NTP server do you use? If you run a public time source, if your country has one we missed, or if you spot an error in our measurements — tell us. We add it, we measure it from our six networks, and we republish. The data is CC BY 4.0: it is as much yours as ours.

Report a time server →

The limits of this work

A snapshot, not an eternal truth. These figures are from 12 July 2026. A server may enable NTS tomorrow, or go down tonight. We republish with every campaign.

Six networks, all European. A server filtering the whole of Europe would wrongly appear silent. We have no probe outside Europe.

A silent server is not necessarily a dead one. An ACL, IP filtering or rate limiting produces the same symptom as an outage. We distinguish "no longer resolves" (the domain name is gone — that one is final) from "does not answer" (which stays ambiguous).

The data, for download

A measurement you cannot contradict is worth nothing. So here is all of it, unfiltered:

One point of honesty: ntp-pool.rdem-systems.com is the load-balanced entry to our twelve servers, not a thirteenth server. It is excluded from every count. Of the 79 NTS endpoints measured across Europe, RDEM operates 12 — 16%. That makes it the leading French operator, and far from the leading European one: Germany has 18.

Licensed CC BY 4.0: take this data, contradict it, republish it. We would rather publish a method you can attack than a figure you cannot check.

Free NTP Tools

Three independent tools to diagnose your time synchronization: