NTS Support in the pools

Hi !

Does the pool iiiiin common have NTS support ? Or do you plan separate pools for this ?

Ciao Gerd

There were some discussion in the past, but no progress until now.

Hi !

Ok… im trying to be prepared…
BTW: must the cert point to host/domain name (cname) or to server name or to Ip address ?

Ciao Gerd

Server names work fine. I haven’t tested with an IP address in the certificate. Not all CA’s support that, so it can be challenging to obtain certificates with an IP address.

I don’t recall if NTS as it’s specified today supports this, but I think if we supported NTS the pool system would setup individual server names for each server (“server-5a52x.pool-servers.ntppool.dev”) and then having the certs be for those names (either with a public CA like letsencrypt or a small CA operated just for this by the pool).

If/when a server leaves the pool or is marked unhealthy for long enough the hostname and/or certificate could removed/invalidated.

Suggestions or discussion of how this would work by people knowledgable about NTS is most welcome!

1 Like

Here is an old discussion re: srv records and NTS. BTW I think most of you are nuts, and SRV records would be the only reasonable way to get NTS into the pool. Here is a ntpsec-only client-side bolt-on for an NTS pool using SRV records.

RFC8915 doesn’t have this, but there once was an attempt to do it:

This is a now expired draft from 2020. Haven’t heard anything about it since then.

The NTS for the NTP pool draft has:

Clients MAY periodically resolve the pool associated domain names to confirm the server is still trusted by the pool.

That would turn over the pool server with most periodic resolutions if the NTS pool names were resolved similarly to today. Not a problem if those periodic resolutions were infrequent, and probably a good thing if the period were at least a day, preferably weeks. Unfortunately that was not specified in this first draft, and there are no more.

There is no need to have ‘secure-time’ it serves no purpose.


1: If you are so insecure about time, use your own GPS.
2: If you don’t want this, use multiple sources to check time.

There is no reason at all to use NTS instead of NTP as it’s quite simple to check time.

NTS has no place in timekeeping. We should NOT serve those records, as it’s nonsense.

Same as public websites are encrypted, it’s dumb. Not everything has to be encrypted.

If you don’t trust time, buy a GPS. Simple as that. Also a GPS works without Internet :laughing:

Besides the specific host name in the pool, the certificate might also have to include the wildcard domain as an alternative, or *.pool.ntp.org.

As broad as it is, I can’t think of how else to have the certificate to match the host name that a client may be using, such as pool.ntp.org or 0.pool.ntp.org or europe.pool.ntp.org or 1.asia.pool.ntp.org or ao.pool.ntp.org or 2.bv.pool.ntp.org

Yes, but this may not work with older versions of NTPsec:

1 Like

Then make it at least NTPsec v1.2.2.

Perhaps in the future it becomes easier and more doable: