Time servers in Europe: who actually runs NTS?
Everyone copies lists of time servers. Nobody measures them. We probed 231 European sources from six different networks, and verified the one thing documentation asserts without proving: who actually serves NTS, the authenticated flavour of NTP (RFC 8915).
The result is harsh. Across the 28 European countries covered, 13 serve NTS. The other 15 serve none at all: Croatia, Estonia, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Norway, Poland, Portugal, Romania, Serbia.
The method, because it changes the result
An open port 4460 proves nothing. That is the mistake most inventories make.
A negotiated ntske/1 ALPN proves nothing either. That was ours, until we fixed
it. There are three states, not two:
- Usable NTS — ALPN
ntske/1negotiated and a certificate valid for the name queried. The only case a conforming client can actually use. - Unusable NTS — the NTS-KE server listens, ALPN passes, but the certificate is issued for a different name. RFC 8915 mandates validation: chrony and ntpsec refuse. Functionally, there is no NTS.
- No NTS — port closed, silent, or no NTS-KE.
The stratum is measured (SNTP v4), not copied. IPv6 only counts when it answers: publishing an AAAA record is not enough.
What that requirement uncovered: ntp.switch.ch
The Swiss national research network does make the NTS effort — which almost the entire continent does not.
Its NTS-KE server listens, and its Let's Encrypt certificate chains perfectly. But it is issued for
swice-nts1.switch.ch, not for ntp.switch.ch, the name the documentation publishes.
A conforming client fails hostname validation.
This is neither a lie nor an oversight: it is an operational error,
and it is invisible to any test that skips certificate validation. The real endpoint,
swice-nts1.switch.ch, works: stratum 1, NTS, valid certificate. Switzerland does have NTS — under a
name nobody publishes.
Six vantage points, six autonomous systems
A measurement from a single network lies: an access list, a rate limit or a geographic restriction produces a false negative. So we probed from six distinct ASes:
- RDEM Systems —
AS206014: our AS, the only one we operate. - Free —
AS12322: our office ISP. We are a customer; we do not run it. - Arelion —
AS1299: international transit provider. - IELO —
AS29075: French transit provider. - IPSET —
AS199275: French transit provider. - Contabo —
AS51167: German host.
Five of those six networks are not ours. AS206014 is the only one we operate.
The other five belong to third parties we do not control: our office ISP (Free), three
transit providers (Arelion, IELO, IPSET) and one host (Contabo). A measurement taken only from
one's own network would prove very little; it is the convergence of six independent networks that makes the
figure defensible.
All six networks return exactly the same NTS result: 79 endpoints, without a single disagreement. That convergence is what makes the figure solid — it is not an artefact of where we stand.
NTS in Europe, country by country
| Country | NTS endpoints | Reachable | In the pool | Who serves NTS |
|---|---|---|---|---|
| Germany | 18 | 28 / 29 | 541 | FAU, FAU Erlangen-Nur, Hetzner Online, Jörg Mo |
| France | 13 | 41 / 56 | 226 | Hubert Viarouge, RDEM Systems, System76 |
| Sweden | 12 | 16 / 29 | 63 | Netnod |
| Netherlands | 9 | 15 / 15 | 201 | Nothing to hide, Rick Betting, SIDN Labs, SIDN |
| Switzerland | 7 | 13 / 17 | 101 | Adrian Zaugg, Martino Dell'Amb, SWITCH, Ueli H |
| United Kingdom | 7 | 9 / 9 | 250 | Hal Murray, Terry Burton, University of Ca |
| Slovenia | 4 | 6 / 6 | — | chrony.eu |
| Austria | 3 | 5 / 6 | — | BEV, University of Vi |
| Belgium | 1 | 4 / 4 | — | Team Belgium |
| Czech Republic | 1 | 3 / 4 | — | Jiří Činčura |
| Denmark | 1 | 2 / 2 | — | DFM |
| Finland | 1 | 4 / 6 | — | miuku.net |
| Spain | 1 | 3 / 4 | — | ROA |
| Croatia | none | 0 / 2 | — | — |
| Estonia | none | 2 / 2 | — | — |
| Greece | none | 1 / 2 | — | — |
| Hungary | none | 0 / 1 | — | — |
| Iceland | none | 2 / 2 | — | — |
| Ireland | none | 2 / 2 | — | — |
| Italy | none | 4 / 4 | 38 | — |
| Latvia | none | 1 / 1 | — | — |
| Lithuania | none | 1 / 1 | — | — |
| Luxembourg | none | 2 / 2 | — | — |
| Norway | none | 5 / 5 | — | — |
| Poland | none | 3 / 3 | — | — |
| Portugal | none | 1 / 4 | — | — |
| Romania | none | 0 / 2 | — | — |
| Serbia | none | 1 / 1 | — | — |
What the documentation does not tell you
Confronting the declared with the measured, 9 endpoints show a documentation/measurement gap — in both directions:
ntp1.fau.de— FAU Erlangen-Nuremberg (Germany): serves NTS, does not document it.ntp1.hetzner.de— Hetzner Online (Germany): serves NTS, does not document it.ntp2.hetzner.de— Hetzner Online (Germany): serves NTS, does not document it.ntp3.hetzner.de— Hetzner Online (Germany): serves NTS, does not document it.ntp.zeitgitter.net— Zeitgitter / Trifence (Switzerland): advertises NTS, does not serve it.ntp.trifence.ch— Trifence AG (Switzerland): advertises NTS, does not serve it.nts1.ntp.hr— UNIZG FER REMLAB (Croatia): advertises NTS, does not serve it.nts2.ntp.hr— UNIZG FER REMLAB (Croatia): advertises NTS, does not serve it.time.signorini.ch— Attilio Signorini (Switzerland): advertises NTS, does not serve it.
The last two cases are the troubling ones: an operator advertising NTS without serving it leaves its users believing their time chain is authenticated when it is not. The first four are the opposite — working NTS that nobody knows how to use, for lack of documentation.
The NTP pool: 2,391 servers, and not one of them can serve NTS
One objection forms immediately: "you missed 226 French servers." We did not — we excluded them deliberately, and for a reason that is not an admission of weakness but an architectural fact.
The pool cannot serve NTS — not through negligence, but by construction. The pool rests on the premise that anyone can contribute without being audited. NTS rests on the premise that the client can cryptographically verify who it is talking to. In the pool's current open-DNS model, the two cannot coexist.
One will rightly object that RFC 8915 §4.1.7 explicitly allows an NTS-KE key server to
redirect the client to a time server other than itself. A central nts.pool.ntp.org,
run by the project and carrying a perfectly valid certificate, could therefore hand out cookies and then
point to any machine in the pool. The certificate problem is circumventable.
But the time server being redirected to must be able to decrypt the cookie — so it must share the cookie encryption key with the key server. The RFC leaves that sharing out of scope and devotes a dedicated security section to it (§8.2, Cookie Encryption Key Compromise). Distributing that key to the ~2,400 volunteer operators of the European pool would give every one of them the power to forge valid cookies, and therefore to impersonate all the others. NTS would lose the very property it exists for: knowing who you are talking to.
This is not a flaw in the pool, and it is not a flaw in NTS: it is an architectural choice, and you have to pick. The pool gives you volume; it cannot give you trust.
The nuance not to miss: what cannot do NTS is the pool entry, not the machine behind it. Some of those machines do serve NTS under their own name, with their own certificate — ours, for instance, which are in the pool and serve NTS. That is the only way to have both, and it is exactly what this register lists. Saying "no pool server does NTS" would be false.
The pool provides volume: 2,391 servers in Europe, 226 in France, 541 in Germany (read from ntppool.org on 12 July 2026). But it makes them anonymous and interchangeable — that is its strength for availability, and it is exactly what forecloses NTS.
The pool measures a quantity; this register measures a chain of trust. We list only servers you can name, verify and hold accountable. They are the only ones on which a compliance claim can rest.
And France?
No French institutional source serves NTS. Not the Paris Observatory, which nonetheless holds the national UTC(OP) realisation. Not Renater, whose stratum 1 server is very much alive. Not any of the universities we probed.
The only French operators serving NTS are private, and there are three: RDEM Systems (12 servers), System76 (one Paris node) and Hubert Viarouge (one server). Compare that with Germany, where the national metrology institute itself — the PTB — serves NTS on four servers, over IPv6.
Zoom in on France: the French NTP and NTS servers: the full detail — the
fr.pool.ntp.org pool, institutional stratum 1 servers, academic hosts, hyperscalers, and the
servers that vanished since the last campaign — has its own page, re-measured with every probe.
Sources and credits
This register did not start from nothing. It aggregates, verifies and measures existing sources — and it owes them a citation.
- jauderho/nts-servers — the reference list of NTS servers. 50 of the European endpoints in our inventory come from it. It is a list of declared NTS: we added the measurement, and that measurement revealed that two of its entries (Trifence, Zeitgitter) do not serve it, while four servers absent from it (Hetzner, FAU) do.
- Official documentation from metrology institutes and research networks: PTB (DE), Netnod (SE), METAS (CH), INRiM (IT), GUM (PL), ROA (ES), BEV (AT), NPL (UK), SIDN/TimeNL (NL), CERT.LV, ISNIC, ARNES, DMDM, DFM, VTT MIKES, and the European NRENs.
- The Network Time Foundation Stratum 1 registry.
- ntppool.org — for pool volumes (2,391 servers in Europe, 226 in France, read on 12 July 2026).
What we add is the measurement — not the compilation. Every endpoint from those sources was
probed from six networks, with certificate validation. The published CSV carries a verification
column stating, line by line, where the entry came from and when it was measured.
This register is incomplete. Help us.
Building this inventory is a considerable amount of work, and we will not pretend it is finished. Every country means tracking down its metrology institute, its research network, its operators — then checking that the published names still exist. Many no longer do.
What we have not covered, and will not pretend to know:
- Central and Eastern Europe — Poland, Romania, Hungary, Slovakia, Croatia and the Baltics are only partially probed. When we write that one of these countries serves no NTS, it means "none of the sources we found serves it" — not "there are none". It is a known gap, not a measured fact.
- Cyprus and Malta expose, as far as we know, no public time source at all. If that is wrong, tell us.
Two findings not to mistake for omissions: GARR (the Italian research network) and DFN (the German one) publish no public NTP server — we tested 12 and 6 name variants, all non-existent. They are not time providers, they are transit networks. Their absence from this table is a fact, not a gap.
Which NTP server do you use? If you run a public time source, if your country has one we missed, or if you spot an error in our measurements — tell us. We add it, we measure it from our six networks, and we republish. The data is CC BY 4.0: it is as much yours as ours.
The limits of this work
A snapshot, not an eternal truth. These figures are from 12 July 2026. A server may enable NTS tomorrow, or go down tonight. We republish with every campaign.
Six networks, all European. A server filtering the whole of Europe would wrongly appear silent. We have no probe outside Europe.
A silent server is not necessarily a dead one. An ACL, IP filtering or rate limiting produces the same symptom as an outage. We distinguish "no longer resolves" (the domain name is gone — that one is final) from "does not answer" (which stays ambiguous).
The data, for download
A measurement you cannot contradict is worth nothing. So here is all of it, unfiltered:
- The full inventory (CSV) —
267 hostnames probed, 231 counted machines. The
countedcolumn states, line by line, whether the entry counts: DNS aliases (several names for the same machine) and pool zones are probed for transparency but excluded from the counts. Filter oncounted=yesand you get exactly the figures on this page. Two distinct columns:nts_documented(what the operator claims) andnts_measured(what we measured) — the 9 gaps read straight out of the file. - The raw timestamped measurement (JSON) — stratum, refid, root dispersion, RTT, IPv6, NTS for every endpoint, with the method and the limits embedded in the file.
One point of honesty: ntp-pool.rdem-systems.com is the load-balanced entry
to our twelve servers, not a thirteenth server. It is excluded from every count. Of the 79 NTS endpoints measured across Europe, RDEM operates 12 — 16%. That makes it the leading French operator, and far from the leading European one: Germany has 18.
Licensed CC BY 4.0: take this data, contradict it, republish it. We would rather publish a method you can attack than a figure you cannot check.
Free NTP Tools
Three independent tools to diagnose your time synchronization: