Me by Howson

Online since 1998

Network Time Protocol (NTP) Service

If you have seen this DNS address or the below Internet Protocol addresses in your logs, you have used this NTP server as a time source, most likely via the UK NTP Pool. Find out more about the NTP Pool Project here.

The following IP addresses and DNS name are used for time:

217.154.57.220 2a00:da00:f44f:2500::1 ntp.howson.me

If you wish to synchronise time with this service, please use ntp.howson.me. The underlying IP addresses may change over time and should not be relied upon directly.

This server supports Network Time Security (NTS) for authenticated and encrypted time synchronisation.

What is Network Time Security?

NTP has been in use since 1985 and was designed at a time when the internet was a far more trusting place. Classic NTP has no authentication — a packet claiming to carry accurate time looks identical to one that has been spoofed or tampered with in transit. This makes plain NTP vulnerable to man-in-the-middle attacks and time spoofing, both of which can have serious downstream consequences for TLS certificate validation, Kerberos tickets, and log correlation.

Network Time Security (RFC 8915, published 2020) solves this by layering cryptographic authentication on top of NTP. It works in two stages:

  1. NTS Key Exchange (NTS-KE) — the client opens a TLS 1.3 connection to the server on port 4460. The server’s identity is verified using a standard X.509 certificate (the same kind used for HTTPS). Session keys and a set of one-time-use cookies are negotiated and returned to the client.

  2. Authenticated NTP packets — subsequent time requests travel over UDP port 123 as normal, but each packet carries one of the cookies from the key exchange. The packet payload is protected using AEAD (Authenticated Encryption with Associated Data), specifically AES-SIV-CMAC-256, ensuring both integrity and confidentiality.

Because the cookies are single-use and the server never stores session state, NTS is resistant to replay attacks. Because the key exchange uses TLS with a real certificate, you can be confident you are talking to the server you intended to reach.

Connecting to this server

chrony (default on Ubuntu 22.04 and later)

Add the following to /etc/chrony/chrony.conf, replacing or supplementing the existing pool lines:

server ntp.howson.me iburst nts

Then restart chrony and verify NTS is active:

sudo systemctl restart chrony
chronyc -n authdata

A successful response will show NTS in the Mode column for this server.

ntpsec

Add to /etc/ntpsec/ntp.conf:

server ntp.howson.me nts

Running your own NTP server on Ubuntu 24.04 LTS

Ubuntu 24.04 ships with chrony as the default time daemon. The steps below configure it as a public-facing NTP server with NTS support.

1. Install chrony

sudo apt update
sudo apt install chrony

2. Obtain a TLS certificate

NTS requires a valid TLS certificate for the NTS-KE handshake. The easiest way to get one is via Let’s Encrypt. Your server needs a public DNS name pointing to it.

sudo apt install certbot
sudo systemctl stop chrony
sudo certbot certonly --standalone -d ntp.example.com
sudo systemctl start chrony

Chrony runs as the _chrony user and needs read access to the private key. A deploy hook keeps the copy updated on every renewal:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/chrony-cert.sh

#!/bin/bash
cp /etc/letsencrypt/live/ntp.example.com/fullchain.pem /etc/chrony/nts-cert.pem
cp /etc/letsencrypt/live/ntp.example.com/privkey.pem   /etc/chrony/nts-key.pem
chown _chrony:_chrony /etc/chrony/nts-cert.pem /etc/chrony/nts-key.pem
chmod 600 /etc/chrony/nts-key.pem
systemctl restart chrony

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/chrony-cert.sh
sudo bash /etc/letsencrypt/renewal-hooks/deploy/chrony-cert.sh

3. Configure chrony

Edit /etc/chrony/chrony.conf. A well-rounded configuration for a public server:

# Upstream time sources — prefer NTS-capable servers
server time.cloudflare.com   iburst nts
server ntppool1.time.nl      iburst nts
server nts.netnod.se         iburst nts
server ptbtime1.ptb.de       iburst nts

# Fall back to the pool if NTS sources are unreachable
pool 2.ubuntu.pool.ntp.org iburst

# Step the clock on first start if offset is large
makestep 1.0 3

# Record clock drift
driftfile /var/lib/chrony/drift

# NTS server configuration
ntsserverkey  /etc/chrony/nts-key.pem
ntsservercert /etc/chrony/nts-cert.pem
ntsdumpdir    /var/lib/chrony

# Allow NTP queries from anywhere (required for a public server)
allow all

# Restrict management interface to localhost
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

4. Open firewall ports

sudo ufw allow 123/udp    # NTP
sudo ufw allow 4460/tcp   # NTS key exchange

5. Enable and restart chrony

sudo systemctl enable chrony
sudo systemctl restart chrony

6. Verify

Check that chrony is synchronised and NTS is working with your upstream sources:

# Overall sync status
chronyc tracking

# Source list with reachability
chronyc sources -v

# NTS authentication status for each source
chronyc -n authdata

In the authdata output, look for NTS in the Mode column and a non-zero OK count, confirming that authenticated packets are being exchanged successfully.

7. Join the NTP Pool (optional)

If your server has a stable internet connection and reliable uptime, consider contributing to the NTP Pool Project. Register at ntppool.org/en/join, add your server’s IP address, and the pool will begin routing traffic to it within a few hours. The pool dashboard shows your server’s offset and score in real time.