TimeNL

On the screen above, you can specify multiple NTP servers, separated by commas. Alternatively, you can use the command line: enter systemsetup -setnetworktimeserver "ntp.time.nl" (then activate using systemsetup -setusingnetworktime on). Another option is to add multiple NTP servers directly to the /private/etc/ntp.conf file.

To set up an individual workstation, follow the steps illustrated above. If you are a system administrator, take a look at Microsoft's explanation of the Windows Time Service.

Various NTP packages are available for Unix/Linux/BSD etc, including NTP, NTPsec, Chrony and OpenNTPD (where the 'pool' directive is called servers with an 's'). They usually have an ntp.conf file (also sometimes called ntpd.conf) for configuring the NTP server. See the example above, but consult the documentation for the relevant package as well, because there may be minor differences. For instance, Ubuntu works with timesyncd by default, which sometimes gets in the way when you want to use another NTP package as well. However, if you don't want another NTP package, adjusting timesyncd is straightforward. It essentially involves editing /etc/systemd/timesyncd.conf. See man timesyncd.conf. Further information is easy to find on the internet. With OpenNTPD weight is used insted of prefer.

Another option is not to work with a daemon, but to periodically synchronise your server with CRON. In the example below, we have opted for weekly synchronisation (at a fairly random time, not at minute '0', in order to avoid overload peaks). However, you can of course synchronise more often if you wish. Do not synchronise more than once an hour, though, and not on the hour, but at a randomly chosen time.

Cisco IOS and NX-OS:

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).

Juniper Junos:

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).

Answer: Because it fits in with our role.
SIDN Labs is SIDN's research team. As a team, we are strong advocates of internet improvement, security and innovation. And we actively contribute to realisation of those goals. As the administrator of the .nl country-code domain, we have a reputation to uphold. We ensure that the .nl domain names under our control are always universally reachable via the DNS (Domain Name System). The worldwide availability of the 6.3 million-plus .nl domain names is our top priority. We have therefore invested heavily in knowledge, expertise and robust infrastructure. We have extensive experience with the so-called 'public core of the internet', which the DNS is part of. We believe that (public) NTP may also be regarded as an infrastructure service. Setting up and maintaining an NTP service, and making it available free of charge to the internet community, is in line with our vision and a good fit with our other activities. We think that our experience and knowledge can really help to highlight the importance of NTP. We are therefore making this service freely available to everyone, for the good of the community. It will be delivered with the drive and commitment to quality that you are used to with .nl and our other services.

Answer: We have done our best to set up a reliable and reliable NTP service.

You can expect us to make every reasonable effort to offer and maintain a good quality NTP service. We invest in knowledge and expertise, infrastructure, security, up-to-date software, support for modern standards, capacity and quality monitoring. The basic service is freely available to everyone, both using IPv4 and using IPv6. Specialist services such as authenticated NTP are available by arrangement. However, we may choose to charge for such services.

Naturally, we keep an eye out for abuse,[*] which we are not prepared to tolerate. If you abuse the service, we may use filtering or rate limiting technology to restrict or block your access. We also do everything we can to prevent abuse by technical and legal means.

Furthermore, if you are unable to make (full) use of our service, we accept no liability for the consequences. You use TimeNL at your own risk, and you accept personal responsibility for your use of the service. We accordingly advise you not to rely solely on our NTP service. Where appropriate, for example, you should set up two third-party NTP services within your own stratum. If you have any questions, we are happy to give advice. In due course, we may expand our capacity and offer several separate NTP servers, so that the service becomes fully dependable. We reserve the right to make changes to our service without notice. Normally, however, we will announce changes well in advance, using this website and/or our social media channels.

[*] We operate a fair usage policy. The default settings in most NTP software will ensure that you remain well within the limits defined in that context, for example with a poll interval of 1024s. If you work via a cron job, an interval of 1 x per 30 minutes is probably more than sufficient. Under non-standard circumstances, it's okay to query our server more often for a while. But don't overdo it.

Answer: Nothing very special. Details of what you can expect from us are given in answer about service levels. If you supply products that incorporate an NTP server, you should take a look at the answer to the question about that as well. The only other bit of small print is this:

Disclaimer
Although we take great care when developing our experimental services, we cannot guarantee that this service will always function properly. Use of the service is entirely at the user's risk. Neither SIDN nor SIDN Labs is liable for any damages suffered as a consequence of using (or being unable to use) any of its experimental or other services. We reserve the right to withdraw this service at any time, without notice.

Answer: Of course, TimeNL isn't the only NTP service available on the internet. Fortunately. There are quite a few alternatives. Nevertheless, there are a few things that distinguish our service from others:

• Provided by SIDN, the trusted company behind .nl: a stable organisation with a lot of operational know-how and ISO 27001 certified.
• From the Netherlands, for the Netherlands - developed with care and managed by driven, curious nerds (😉) who care about 'the public core of the internet'. For details, take a look at the 'Features and background information' section and the answer to the question 'What service levels can I expect?'
• Not operated by a big tech company, but by an accessible service provider: an organisation you can call or e-mail with questions, and trust to respect your privacy.
• More secure, because it offers Network Time Security (NTS) and, by arrangement, authenticated NTP and because time.nl is DNSSEC-enabled.
• Not dependent exclusively on the American GPS system: TimeNL also uses the European Galileo and the German DCF077 signal, for example
• Up-to-date software; we will patch to the latest version of the firmware as soon as we can. That sounds logical, but that does not happen everywhere and always.
• Rubidium based atomic holdover clock.
• BGP anycast.
• Accessible using IPv4 and, of course, IPv6.

Answer: That depends partly on how big your company is. One option is for all your users to communicate with our NTP server independently. However, if you have a lot of users, it may be better to configure your own internal NTP server and let individual users synchronise their time with it. In a set-up like that, your server is called a stratum 2 server. A stratum 2 server gets its time from one or more stratum 1 servers, such as ours. The advantages are that there is less load on our server, and, if you use a firewall, you don't have to open it for every user. In a very large environment, a third stratum can be added, as illustrated.

The yellow arrows indicate direct links to reference clocks. Our stratum 1 server has links to reference clocks. The red arrows indicate network (i.e. internet) connections to 'parent' servers. Those connections enable your stratum 2 or 3 server(s) to retrieve their time from stratum 1 servers, including ours.

It's usually a good idea not to rely on a single NTP server for time synchronization. Until we have expanded our server park, we recommend that you configure your system to use multiple NTP servers, including other Dutch servers. Here are some of the options:

• chime1.surfnet.nl
• time1.esa.int
• ntp.vsl.nl
• ntp.ripe.net

The symbol next to each server indicates the type of (primary) reference clock the system is likely to use: represents GNSS (exclusively GPS, as far as we know) and represents an atomic clock. There are many more good NTP servers, both in the Netherlands and in neighboring countries. The ones listed above are only suggestions.

Answer: It's against our terms of use to hard code 'ntp.time.nl' into the firmware of products marketed on a large scale, for example. If you want to do anything like that, please contact us first. We follow the same policy as the NTP pool project. Which means we reserve a special name for your application ('ntp.brandname.time.nl') and liaise with you about your needs, so that we can better anticipate the risk of capacity overruns.

Answer: We should start by stressing that we aren't lawyers. But we can tell you that NTP is on the comply-or-explain list published by the Dutch government's Forum for Standardisation. That may mean that you have to ensure effective NTP time synchronisation on your network, and our service can be very useful for that. Proper time synchronisation is also an ISO-27001 certification requirement.

In the Netherlands and other countries, quality requirements have been or are being considered for time synchronisation. Requirements have also been made at the European level and by the Dutch Radiocommunications Agency. See, for example, paragraph 4.15 of this document. . Those requirements can, of course, be met by using our NTP service. You may also find this document interesting. And, if you're actually an expert in this field, feel free to bring us up to speed with anything we might be missing. We're always eager to learn!

Answer: We take privacy and the GDPR very seriously. We don't retain your personal data (IP address) and we don't use your data for anything other than maintaining and optimising this service and to improve NTP in general. Read more about our privacy policies on the site of our privacy board. Please be advised that the Dutch version of this site has more detail.

Answer: We'll keep you informed about this service via this website, the SIDN Labs website, Twitter and sometimes also the SIDN corporate website.

Answer:

• Mail timekeeperssidn.nl
• Report security issues by following our responsible disclosure guidelines

Answer: The domain name used for this service, 'time.nl', is secured with DNSSEC. So, if your system supports DNSSEC, you can be confident that you won't be directed to a false IP address when you navigate to 'ntp.time.nl'. It's worth noting that accurate timing is needed for DNSSEC to work properly. So a chicken-and-egg problem can sometimes arise. For instance, when a system without an embedded Real Time Clock (RTC) starts up, it may have no idea of the time; it may think it's 1-1-1970, for example. If it then attempts to validate the IP address of 'ntp.time.nl' using DNSSEC, the validation will fail. Solutions for that scenario have been devised, but it remains an issue. With systems that are already (roughly) synchronised, that shouldn't be a problem.

Answer: Authenticated NTP isn't a feature of the basic (free and anonymous) public service. However, authentication based on symmetric keys is available to registered users by arrangement. If you'd like authentication, please get in touch and explain the background. We'll then decide whether we can provide the service, and whether we can do that for free (we may need to ask a modest fee). If we go ahead, certain conditions will apply. For example, we don't use an MD5 algorithm for our keys. We don't think that the 'autokey' protocol is secure enough, either. If you use OpenNTPd, 'TLS constraints' may still be an option for you. We also support the Network Time Security (NTS) protocol. See below.

Answer: Network Time Security (NTS) is a relatively new standard for which we have been offering support for some time in the form of a pilot. However, since the beginning of 2022, NTS has also been available in our production environment. See https://nts.time.nl.

Answer: No, there is no support for 'roughtime' just yet.

Answer: The Precision Time Protocol (PTP) is an even more accurate form of time synchronisation, with very specific applications. We don't offer PTP as standard, but it can be enabled by arrangement. If you're interested, please get in touch.

Answer: That is our public NTP server based on anycast. It consists of dozens of servers, spread all over the world. Depending on where you are in the world, you'll end up with the closest server to sync your time with. It is configured on our anycast testbed. We receive thousands of NTP queries from all over the world on this anycast testbed, because the system is part of the NTP pool.

Answer: Those are also public NTP servers (based on unicast). They are powerful systems that can handle a lot of NTP queries which are part of the NTP pool. Besides NTP, they also support NTS (RFC8915).

Answer: We did consider a running clock, but we wanted to make our website attractive. We didn't want a simple JavaScript thing that would only show the local time on your computer, even if it's wrong. So we looked at having a clock from which you could see whether your PC clock was right. But then we found out that our friends at the German PTB had already created something like that which we weren't going to beat (but we did modify it into our own version). If your device is in sync, you might want to take a look at this station clock.