Skip to content

Instantly share code, notes, and snippets.

@jauderho
Last active November 22, 2023 16:26
Show Gist options
  • Save jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d to your computer and use it in GitHub Desktop.
Save jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d to your computer and use it in GitHub Desktop.
A curated list of NTP time servers that support NTS
Copy link

ghost commented Sep 8, 2021

Hey, if you search for other servers to add to your list I am hosting a tier 2 NTS server at ntp.qontinuum.space on port 4460.

You may also want to add netnod.se servers that you can find here:

  • nts.netnod.se:4460
  • sth1.nts.netnod.se:4460
  • sth2.nts.netnod.se:4460

@asche77
Copy link

asche77 commented Dec 3, 2021

These are working for me as NTS servers (via chrony):

  • time.cloudflare.com
  • ptbtime1.ptb.de
  • ptbtime2.ptb.de
  • ptbtime3.ptb.de
  • nts1.time.nl
  • nts.netnod.se
  • nts.ntp.se
  • nts.sth1.ntp.se
  • nts.sth2.ntp.se
  • ntp1.glypnod.com
  • ntp2.glypnod.com
  • ntpmon.dcs1.biz
  • netmon2.dcs1.biz
  • kong.rellim.com
  • pi3.rellim.com

The following did not work:

  • ntp.qontinuum.space

@phloggu
Copy link

phloggu commented Dec 27, 2021

Switzerland:

ntp.3eck.net
ntp.trifence.ch
ntp.zeitgitter.net

See the blog post Transparent, Trustworthy Time with NTP and NTS.

@asche77
Copy link

asche77 commented Dec 28, 2021

Some more working for me (found on https://psychogun.github.io/docs/linux/Stratum-1-NTP-Server-using-Raspberry-Pi/):

  • khronos.mikieboy.net
  • spidey.rellim.com
  • pi4.rellim.com

Not working for me, though found on different sites:

  • ntpmon.dcs1.biz
  • timemaster.evangineer.net
  • nts-test.strangled.net
  • nts.strangled.net

The following are test-only servers with private certificates and won't work (out of the box) for third parties:

  • nts2-e.ostfalia.de
  • nts3-e.ostfalia.de

@MarcelWaldvogel
Copy link

The foremost goals of NTS are Identity and Authentication. Picking some random hosts from the Internet voids this, as well as using test-only servers for anything other than tests. Yes, that means the list of current NTS-capable servers is disappointingly tiny, essentially limited to a few sites in too few countries (maybe in order of appearance):

  • The CloudFlare servers
  • The netnod.se/ntp.se servers operated by NetNod (I have not found the ntp.se servers to be publicly announced as public NTS-capable servers)
  • The ptb.de servers
  • The time.nl pilot server
  • The ntp.br servers operated by nic.br and cgi.br (who also recommend everyone to switch to NTS)

If you want more servers with NTS, there are only two options:

  1. ask your local authorities, other public entities, or corporations with existing NTP service to add NTS, and/or
  2. start providing your own NTS service, but do announce on the page of the server or your site (a) who you are, (b) that the service is meant for the public, and (c) provide some statistics, with adding the server to the NTP Pool being the easy way out.

We did both of that for Switzerland and are still fine-tuning our uplinks, trying to balance accuracy, stability, delay, and NTS-ability; a challenge with the current NTS sparseness.

(Some of the fine-tuning lessons: Try to have as few anycast servers as possible. You can see that Cloudflare is consistently about 2ms off here; another server a few meters away and connected to the same ISP, consistently sees a much better time from the same Cloudflare IP address at 4ms RTT. Anycast (and the Cloudflare service) is great, if you just want the time; but a challenge if you try to get tight bounds.)

peer-offsets

@mibere
Copy link

mibere commented Feb 1, 2022

I operate a NTP/NTS server in Germany:

nts1.adopo.net

@cadusilva
Copy link

cadusilva commented Feb 7, 2022

Hello there, I'm operating a NTP server in Brazil using Chrony coupled with a GPS dongle so it's a Stratum 1 time server. It's also NTS-ready at port 4460.

time.bolha.one

Infrastructure:

  • Ryzen 5 3550H 2,1 GHz 4C/8T
  • 32 GB RAM, 256 GB NVMe
  • 500 Mbps D/U via FTTH
  • u-blox NEO-6 G7020-KT USB GPS module
  • Chrony 4.0 with GPSD 3.22
  • 99% uptime

@bclaymiles
Copy link

I've been running an NTS server since sometime in 2020 - possibly earlier, who keeps track? :)

server nts.anastrophe.com:4460 nts

I've owned the anastrophe.com domain since the 1990's, and have hosted my website and about a dozen others for about that time, and manage the email service and everything else (sysadmin since 1994 or so, so, yeah, that's my life).

The server is on my home network, on a comcast/xfinity connection. Historically, my IP address has been largely stable except recently, when comcast did some mucking about that forced a change (and throttled my speed for a month). It seems to be back to stability. I keep a very close eye on it and monitor it, so if it changes, it gets updated pretty swiftly.

Everything is on UPS, so except for some instability over the last couple of days - an adafruit hat went wonky and thought that the EPO data was valid from 06/05/2022 to some date in 2001 (!) - everything runs pretty smoothly.

Naturally I provide stratum one standard ntp service as well. I maintain an info and policy page for all this here:

https://ntpsec.anastrophe.com

cheers.

@cadusilva
Copy link

I've been running an NTS server since sometime in 2020 - possibly earlier, who keeps track? :)

server nts.anastrophe.com:4460 nts

I've owned the anastrophe.com domain since the 1990's, and have hosted my website and about a dozen others for about that time, and manage the email service and everything else (sysadmin since 1994 or so, so, yeah, that's my life).

The server is on my home network, on a comcast/xfinity connection. Historically, my IP address has been largely stable except recently, when comcast did some mucking about that forced a change (and throttled my speed for a month). It seems to be back to stability. I keep a very close eye on it and monitor it, so if it changes, it gets updated pretty swiftly.

Everything is on UPS, so except for some instability over the last couple of days - an adafruit hat went wonky and thought that the EPO data was valid from 06/05/2022 to some date in 2001 (!) - everything runs pretty smoothly.

Naturally I provide stratum one standard ntp service as well. I maintain an info and policy page for all this here:

https://ntpsec.anastrophe.com

cheers.

Hey, cool stuff you got there! I even edited my post to also describe my home server. How stable is your NEO-M8T? Mine is a NEO-M8L (using this antenna) and eventually Chrony considers this source as "may be in error" no matter what I do. That's why I'm using an older NEO-6 GPS module that at least is stable and provides microsecond accuracy.

With the NEO-M8 module, things starts well (but without PPS) and eventually go out of tracks. How do you set your offset or any other setting? Thank you.

@bclaymiles
Copy link

For the most part, the M8T has been quite solid. I think the key is to use the U-blox U-center, and set up the Assist Now offline option to regularly download the ephemeris data (doesn't cost anything, but you do need to register for it). Of course all the other caveats apply, good antenna location, stable temperatures (as much as possible), etc. I don't set any offsets, as typically after a restart it wiggles its way to tight accuracy pretty quickly.

I just purchased a new board yesterday that will come from china in a couple of weeks, using the Max-M8Q -
https://www.ebay.com/itm/264810984552

We shall see how that goes...

@cadusilva
Copy link

I'm definitely not having the same luck with the M8L. If I don't set an offset it just stays in error with the same number in the adjusted and measured offset. If I set an offset, it initially works but eventually go back to stay in error.

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
#x GPS                           0   3   377     7    +64ms[  +64ms] +/- 2828us
^- 168.96.251.197                1   6   337    11   -585us[ -585us] +/-  108ms
^+ 200.160.7.186                 1   6   377    13  +1827us[+2171us] +/-   27ms
^* 200.160.7.197                 1   6   377    13  +1618us[+1962us] +/-   28ms

I downloaded the AssistNow Offline data but didn't help at all. The module gets a fix but as a reference clock source it is useless. And the PPS pulse doesn't work.

┌──────────────────Seen 27/Used  9┐
│GNSS   PRN  Elev   Azim   SNR Use│
│GP  1    1  43.0  221.0  25.0  Y │
│GP  8    8  24.0  323.0  27.0  Y │
│GP 10   10  13.0   77.0  23.0  Y │
│GP 21   21  72.0  264.0  23.0  Y │
│GP 22   22  13.0  148.0  22.0  Y │
│GP 27   27  17.0    2.0  27.0  Y │
│GP 31   31  39.0  144.0  25.0  Y │
│GL  8   72  17.0  186.0  20.0  Y │
│GL 11   75  41.0   20.0  22.0  Y │
│GP  3    3  14.0  209.0  14.0  N │
│GP  4    4  27.0  253.0  17.0  N │
│GP  9    9   6.0  278.0  14.0  N │
│GP 16   16  27.0   31.0  19.0  N │
│GP 26   26  32.0   65.0   8.0  N │
│GP 32   32   0.0  132.0   0.0  N │
│SB120   33  66.0   74.0   0.0  N │
│SB133   46  19.0  273.0   0.0  N │
│SB136   49  43.0   83.0   0.0  N │
│GL  1   65   6.0  232.0   0.0  N │
│GL  7   71  10.0  139.0  17.0  N │
│GL  9   73  10.0  139.0   0.0  N │
└More...──────────────────────────┘

It's a pity such device with this behavior. And an older NEO-M6 working like a charm, with stability and no complications other than manually setting an offset.

@bclaymiles
Copy link

We should probably take this offline since it's not directly relevant to the list of NTS sources - you can email me at the address on the website, and we continue there!

@bclaymiles
Copy link

Geez, I make a few "minor" changes and it seems like my NTS isn't working - but it's hard to test remotely for sure - if anyone out there feels like trying to use my server as above for nts, I'd appreciate any info you come up with - and you can email me as i mentioned above...sheeesh!

@cadusilva
Copy link

We should probably take this offline since it's not directly relevant to the list of NTS sources - you can email me at the address on the website, and we continue there!

You're right, but I guess there's nothing we can do about the module so I'll try to sell it or something.

Geez, I make a few "minor" changes and it seems like my NTS isn't working - but it's hard to test remotely for sure - if anyone out there feels like trying to use my server as above for nts, I'd appreciate any info you come up with - and you can email me as i mentioned above...sheeesh!

I'll just leave it here as it may help someone troubleshooting problems, but here's the output of this Chrony command to test NTS servers:

$ chronyd -Q -t 3 'server nts.anastrophe.com iburst nts maxsamples 1'
2022-06-07T22:22:45Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-06-07T22:22:45Z Disabled control of system clock
2022-06-07T22:22:48Z chronyd exiting

There's no error, so I guess everything is fine with this address (nts.anastrophe.com).

Anything else, I'll ping you via e-mail.

@Pentaphon
Copy link

System76 just set up their NTS time servers for Pop!_OS or anybody to use.

More info here: https://system76.com/time

Copy link

ghost commented Jul 25, 2022

Systems76's NTS enabled time servers are the following:

server virginia.time.system76.com iburst nts
server ohio.time.system76.com iburst nts
server oregon.time.system76.com iburst nts

(in response to Pentaphons message)

@mdavids
Copy link

mdavids commented Jul 26, 2022

Some more background about the TimeNL-servers that support NTS.

They are:

ntppool1.time.nl
ntppool2.time.nl

nts1.time.nl is used for testing and not recommended for production.

The information can be found here: https://nts.time.nl/ and more general information about TimeNL can be found here: https://time.nl/index_en.html

@catharsis71
Copy link

I have some stratum 2 servers running NTS that anyone is welcome to sync to, IPV4 and IPV6 on all of them:

nl.cracky-chan.com
us.cracky-chan.com
uk1.cracky-chan.com
uk2.cracky-chan.com

there's also a DNS name ntp.cracky-chan.com that includes all 4 servers so could be used as a pool address

the servers are using wildcard SSL certs so older versions of ntpsec may refuse to connect to them; ntpsec added support for wildcard SSL certs in April but there hasn't been a tagged release since then

@Tungsten842
Copy link

https://system76.com/time
paris.time.system76.com
brazil.time.system76.com
system76 has two more nts servers, they should be added.

@sergeevabc
Copy link

Comrades, is there any way to sync time via NTS on Windows? Command-line utility?

@bclaymiles
Copy link

FYI, I will soon be shutting down public access to ntpsec.anastrophe.com for both NTP and NTS. I'll still offer peering by request.

@macifell
Copy link

macifell commented Mar 5, 2023

This list and the exceptional one compiled by @MarcelWaldvogel at https://netfuture.ch/2021/12/transparent-trustworthy-time-with-ntp-and-nts/ are invaluable resources for folks trying to get NTS running.

These two lists have not been updated in nearly six months though, and until they become active again I have started my own list of servers here:
https://gitlab.com/-/snippets/2481323

^ This list is now private as @jauderho has created a repo to allow pull requests for updating servers.

I have also added the stratum and sources of all listed servers in the hopes it will be useful.

It is not my intent to replace any other list, but I think it's crucial to have up to date information available as this protocol starts to become more widely used.

@cadusilva
Copy link

cadusilva commented Mar 5, 2023

@macifell I updated my NTP/NTS server address, located in Brazil. I'm using Chrony but not sure if the NTS part is working. Can you try it out?

The new address is:

time.bolha.one

@macifell
Copy link

macifell commented Mar 5, 2023

@cadusilva Sure, it seems to be working. A few suggestions:

  1. If you have the ability, it would be nice to set up reverse dns for the server. It will look better in the chronyc sources output.
  2. It would be also be great to have a web page set up to provide information on the state and access policy of the server. This project can be used to get something running quickly: https://github.com/macifell/chrony-graph - but even something more basic will be helpful.

@cadusilva
Copy link

cadusilva commented Mar 5, 2023

Thank you @macifell! Currently I can't set up reverse DNS as this is a static IP from my ISP and I have no control, but I would if I could. About the second point, I can redirect the server hostname to this URL as a middle ground.

@macifell
Copy link

macifell commented Mar 5, 2023

@cadusilva Sure, no problem 🙂

Yeah, reverse DNS can be annoying (if not impossible) to set up and that NTP Score page is cool as a redirect.

@jauderho
Copy link
Author

jauderho commented Mar 7, 2023

@macifell I have checked out your link and I am unsure if it makes sense to keep the "Secure Source?" column. To me, that seems to imply more trust to certain systems where it is not possible to qualify.

I would rather just have a list of servers that folks can use decide for themselves which ones they want to trust and use. To that end and given that it appears not to be possible to generate pull requests against gists, I have gone ahead and created https://github.com/jauderho/nts-servers to make it easier to create a formal list that can accept pull requests.

I have taken a first stab at adding some entries. If you have your file in Markdown format, I will happily accept a pull request. Else, I will try to add to this when I have time. Eventually, I hope to retire this gist and redirect to the repo.

@macifell
Copy link

macifell commented Mar 7, 2023

@jauderho That's a great idea! I do not want to have another competing list, I just want to make sure this information is kept up to date.

Whether or not an NTS server gets its time securely does play into the concept of trust, as it could just be repackaging insecure time:
https://netfuture.ch/2022/01/configuring-an-nts-capable-ntp-server/#upstream-server-choice

If there is no statement from the administrator and the observable source is not secure, then I think it is reasonable to determine that it is not as secure as it could be. While this isn't perfect, it would at least give someone a reason to ask about how this is being done - even if they trust the source individual or company. Of course, this information could be forged (or lied about), so trust of the administrator is the primary consideration. I do intend to ask the administrator of each server marked with an 'N' about how they get their time - and I also monitor this value over time and will mark additional sources as they show up.

That being said, I do not think it's necessary to include that information in the official list. I'm only keeping track of it in mine because I find it interesting.

@jauderho
Copy link
Author

jauderho commented Mar 7, 2023

@macifell I forgot to grab a copy of your list before you made it private. Could you make it public temporarily or post a copy in the comments so that I can format it as a starting point into Markdown? Thanks.

@macifell
Copy link

macifell commented Mar 8, 2023

@jauderho I'm actually working on a pull request right now to add in those servers 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment