[Red White Blue ribbon]

TimeNL

Public NTP service

TimeNL

Is a Dutch internet time service, based on NTP (and PTP by arrangement). It's an initiative by SIDN Labs. This website gives full details of the stratum 1 NTP service, which you are warmly invited to use.

The Network Time Protocol (NTP) enables internet-connected computers to synchronise their system clocks, so that they are always accurate to within a millisecond. Stable and accurate timing is vital for all kinds of applications to function properly. Precise timing is needed to decide what order a series of events happened in, for example. It's also a fundamental aspect of transaction integrity, logging, auditing, troubleshooting and forensic research.

TimeNL has been set up by experts at SIDN Labs. It's available for anyone to use, free of charge. On this website, you'll find full details of the service, and advice on making the best possible use of it.

How do I set up my system to use TimeNL?

Select the system you want to work with TimeNL:

Settings OSX

On the screen above, you can specify multiple NTP servers, separated by commas. Alternatively, you can use the command line: enter systemsetup -setnetworktimeserver "ntp.time.nl" (then activate using systemsetup -setusingnetworktime on). Another option is to add multiple NTP servers directly to the /private/etc/ntp.conf file.



Settings Windows step 1

Settings Windows step 2

Settings Windows step 3

To set up an individual workstation, follow the steps illustrated above. If you are a system administrator, take a look at Microsoft's explanation of the Windows Time Service.



# Example 1: SIDN's ntp.time.nl (as preferred NTP server)
server ntp.time.nl iburst prefer

# Example 2: SIDN's ntp.time.nl with authentication (not supported by default, but available by arrangement)
server ntp.time.nl iburst key 1

Various NTP packages are available for Unix/Linux/BSD etc, including NTP, NTPsec, Chrony and OpenNTPD. They usually have an ntp.conf file (also sometimes called ntpd.conf) for configuring the NTP server. See the example above, but consult the documentation for the relevant package as well, because there may be minor differences. For instance, Ubuntu works with timesyncd by default, which sometimes gets in the way when you want to use another NTP package as well. However, if you don't want another NTP package, adjusting timesyncd is straightforward. It essentially involves editing /etc/systemd/timesyncd.conf. See man timesyncd.conf. Further information is easy to find on the internet. With OpenNTPD weight is used insted of prefer.

Another option is not to work with a daemon, but to periodically synchronise your server with CRON. In the example below, we have opted for weekly synchronisation (at a fairly random time, not at minute '0', in order to avoid overload peaks). However, you can of course synchronise more often if you wish. Do not synchronise more than once an hour, though, and not on the hour, but at a randomly chosen time.

# Update ntpdate every Wednesday at 4 minutes past 11:00 am
04 11 * * 3 /usr/sbin/ntpdate ntp.time.nl 2>&1 >/dev/null
#


Cisco IOS and NX-OS:

router# config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)# no ntp server
router(config)# ntp server ntp.time.nl prefer
router(config)# copy running-config startup-config

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).

Juniper Junos:

system {
    ntp {
         server ntp.time.nl prefer;
    }
}

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).



FAQs

Click on a question to open the answer.

Answer: Because it fits in with our role.
SIDN Labs is SIDN's research team. As a team, we are strong advocates of internet improvement, security and innovation. And we actively contribute to realisation of those goals. As the administrator of the .nl country-code domain, we have a reputation to uphold. We ensure that the .nl domain names under our control are always universally reachable via the DNS (Domain Name System). The worldwide availability of the 5.8 million-plus .nl domain names is our top priority. We have therefore invested heavily in knowledge, expertise and robust infrastructure. We have extensive experience with the so-called 'public core of the internet', which the DNS is part of. We believe that (public) NTP may also be regarded as an infrastructure service. Setting up and maintaining an NTP service, and making it available free of charge to the internet community, is in line with our vision and a good fit with our other activities. We think that our experience and knowledge can really help to highlight the importance of NTP. We are therefore making this service freely available to everyone, for the good of the community. It will be delivered with the drive and commitment to quality that you are used to with .nl and our other services.

Report 'public core of the internet
Dutch internet time service?
As the registry for the .nl country-code domain, we are of course very proud of TimeNL. We regard it as the (albeit unofficial) 'Dutch internet time service', comparable to the national time services for the the United Kingdom,New Zealand, Sweden, Belgium, Germany and the United States.


Answer: We have done our best to set up a reliable and reliable NTP service.

You can expect us to make every reasonable effort to offer and maintain a good quality NTP service. We invest in knowledge and expertise, infrastructure, security, up-to-date software, support for modern standards, capacity and quality monitoring. The basic service is freely available to everyone, both using IPv4 and using IPv6. Specialist services such as authenticated NTP are available by arrangement. However, we may choose to charge for such services.

Naturally, we keep an eye out for abuse,[*] which we are not prepared to tolerate. If you abuse the service, we may use filtering or rate limiting technology to restrict or block your access. We also do everything we can to prevent abuse by technical and legal means.

Furthermore, if you are unable to make (full) use of our service, we accept no liability for the consequences. You use TimeNL at your own risk, and you accept personal responsibility for your use of the service. We accordingly advise you not to rely solely on our NTP service. Where appropriate, for example, you should set up two third-party NTP services within your own stratum. If you have any questions, we are happy to give advice. In due course, we may expand our capacity and offer several separate NTP servers, so that the service becomes fully dependable. We reserve the right to make changes to our service without notice. Normally, however, we will announce changes well in advance, using the mailing list, this website and/or our social media channels.

[*] We operate a fair usage policy. The default settings in most NTP software will ensure that you remain well within the limits defined in that context. Under normal circumstances, your system should not need to approach us more than about once every half hour. Under non-standard circumstances, it's okay to query our server more often for a while. But don't overdo it.



Answer: Nothing very special. Details of what you can expect from us are given in answer about service levels. If you supply products that incorporate an NTP server, you should take a look at the answer to the question about that as well. The only other bit of small print is this:

Disclaimer
Although we take great care when developing our experimental services, we cannot guarantee that this service will always function properly. Use of the service is entirely at the user's risk. Neither SIDN nor SIDN Labs is liable for any damages suffered as a consequence of using (or being unable to use) any of its experimental or other services. We reserve the right to withdraw this service at any time, without notice.



Answer: Of course, TimeNL isn't the only NTP service available on the internet. Fortunately. There are quite a few alternatives. Nevertheless, there are a few things that distinguish our service from others:

  • Provided by SIDN, the trusted company behind .nl: a stable organisation with a lot of operational know-how.
  • From the Netherlands, for the Netherlands - developed with care and managed by driven, curious nerds (😉) who care about 'the public core of the internet'. For details, take a look at the 'Features and background information' section and the answer to the question 'What service levels can I expect?'
  • Not operated by a big tech company, but by an accessible service provider: an organisation you can call or e-mail with questions, and trust to respect your privacy.
  • More secure, because authenticated NTP is available by arrangement, and time.nl is DNSSEC-enabled.
  • Not dependent exclusively on the American GPS system: TimeNL also uses the European Galileo and the German DCF077 signal, for example
  • Accessible using IPv4 and, of course, IPv6.
GNSS and DCF77 antennas on the roof of SIDN


NTP stratum Answer: That depends partly on how big your company is. One option is for all your users to communicate with our NTP server independently. However, if you have a lot of users, it may be better to configure your own internal NTP server and let individual users synchronise their time with it. In a set-up like that, your server is called a stratum 2 server. A stratum 2 server gets its time from one or more stratum 1 servers, such as ours. The advantages are that there is less load on our server, and, if you use a firewall, you don't have to open it for every user. In a very large environment, a third stratum can be added, as illustrated.

The yellow arrows indicate direct links to reference clocks. Our stratum 1 server has links to reference clocks. The red arrows indicate network (i.e. internet) connections to 'parent' servers. Those connections enable your stratum 2 or 3 server(s) to retrieve their time from stratum 1 servers, including ours.

We also advise joining our mailing list, so that you always get to hear about any developments.

It's usually a good idea not to rely on a single NTP server for time synchronization. Until we have expanded our server park, we recommend that you configure your system to use multiple NTP servers, including other Dutch servers. Here are some of the options:

  • chime1.surfnet.nl
  • time1.esa.int
  • ntp.vsl.nl
  • ntp.ripe.net

The symbol next to each server indicates the type of (primary) reference clock the system is likely to use: represents GNSS (exclusively GPS, as far as we know) and represents an atomic clock. There are many more good NTP servers, both in the Netherlands and in neighboring countries. The ones listed above are only suggestions.



Answer: It's against our terms of use to hard code 'ntp.time.nl' into the firmware of products marketed on a large scale, for example. If you want to do anything like that, please contact us first. We follow the same policy as the NTP pool project. Which means we reserve a special name for your application ('ntp.brandname.time.nl') and liaise with you about your needs, so that we can better anticipate the risk of capacity overruns. We also advise joining our mailing list, so that you always get to hear about any developments.



Answer: We should start by stressing that we aren't lawyers. But we can tell you that NTP is on the comply-or-explain list published by the Dutch government's Forum for Standardisation. That may mean that you have to ensure effective NTP time synchronisation on your network, and our service can be very useful for that.

In the Netherlands and other countries, quality requirements have been or are being considered for time synchronisation. Requirements have also been made at the European level and by the Dutch Radiocommunications Agency. See, for example, paragraph 4.15 of this document. . Those requirements can, of course, be met by using our NTP service. You may also find this document interesting. And, if you're actually an expert in this field, feel free to bring us up to speed with anything we might be missing. We're always eager to learn!



Answer: We take privacy and the GDPR very seriously. We don't retain your personal data (IP address) and we don't use your data for anything other than maintaining and optimising this service Read more about our privacy policy.



Answer: We'll keep you informed about this service via our mailing list, this website, the SIDN Labs website, Twitter and sometimes also the SIDN corporate website.



Answer:



Answer: The domain name used for this service, 'time.nl', is secured with DNSSEC. So, if your system supports DNSSEC, you can be confident that you won't be directed to a false IP address when you navigate to 'ntp.time.nl'. It's worth noting that accurate timing is needed for DNSSEC to work properly. So a chicken-and-egg problem can sometimes arise. For instance, when a system without an embedded Real Time Clock (RTC) starts up, it may have no idea of the time; it may think it's 1-1-1970, for example. If it then attempts to validate the IP address of 'ntp.time.nl' using DNSSEC, the validation will fail. Solutions for that scenario have been devised, but it remains an issue. With systems that are already (roughly) synchronised, that shouldn't be a problem.



Answer: Authenticated NTP isn't a feature of the basic (free and anonymous) public service. However, authentication based on symmetric keys is available to registered users by arrangement. If you'd like authentication, please get in touch and explain the background. We'll then decide whether we can provide the service, and whether we can do that for free (we may need to ask a modest fee). If we go ahead, certain conditions will apply. For example, we don't use an MD5 algorithm for our keys. We don't think that the 'autokey' protocol is secure enough, either. If you use OpenNTPd, 'TLS constraints' may still be an option for you. We don't yet support the Network Time Security (NTS) protocol in production, but we're following the standard's development closely (and run a pilot). Keep an eye on our news channels for updates about NTS. (See above, under How can I stay informed?)



Answer: The Network Time Security (NTS) is still under development. So we don't yet support it in our production environment. But we're following these developments closely, and run a pilot for you to play with and to see how the standard works in practice. The same goes for 'roughtime', in case you're wondering (albeit there is no pilot there just yet).



Answer: The Precision Time Protocol (PTP) is an even more accurate form of time synchronisation, with very specific applications. We don't offer PTP as standard, but it can be enabled by arrangement. If you're interested, please get in touch.



Answer: We did consider a running clock, but we wanted to make our website attractive. We didn't want a simple JavaScript thing that would only show the local time on your computer, even if it's wrong. So we looked at having a clock from which you could see whether your PC clock was right. But then we found out that our friends at the German PTB had already created something like that which we weren't going to beat. If your device is in sync, you might want to take a look at this station clock.



Features and background information

TimeNL from SIDN Labs is a stratum 1 NTP service based on multiple very precise atomic reference clocks. Our server is synchronised not only with the American GPS system, but also with the European Galileo GNSS. Unlike many other NTP services, we are not therefore fully dependent on an American system. As a first backup, we also synchronise with the German DCF077 radio signal. And as a second backup, we synchronise with atomic clocks in the Netherlands (including the VSL atomic clock in Delft) and in Belgium as well. Our hardware automatically ensures that the most accurate reference clock is always chosen. (For enthusiasts: we use the M3000 from Meinberg, which we affectionately call "Arnold", after the maker and nickname of Ruth Belville's silver pocket watch.) Our server is accessible over a good (multi-homed) internet connection, using either IPv4 or IPv6. We are therefore able to offer very precise time synchronisation to a large number of users. Of course, we are already making plans for the future. We intend to increase the number of NTP servers, if we think that will increase the reliability of our service. We may also enable access via BGP anycast, as we did with the DNS servers for the .nl domain.

A couple more points of interest: first, we don't do 'leap smearing'. Second, ntp.time.nl is part of the NTP pool project. There is lots more that we might add, and we're bound to be sharing ideas and information quite regularly from now on. So keep an eye on this site (and maybe the material we send to the mailing list) and let us know if you have any questions. See also the 'FAQs' above.

Arnold pocket watch

Operational status

2019-11-12 13:15 until 13:30 (UTC)
IPv6 access became unavailable after maintance regarding interface link aggregation.
2019-10-15 15:25 until 15:30 (UTC)
Reboot due to firmware upgrade: Meinberg Security Advisory: [MBGSA-1902] LANTIME Firmware V7

2019-07-11 01:00 (UTC)
'Galileo service degraded' - no impact for TimeNL.
NOTICE ADVISORY TO GALILEO USERS (NAGU) 2019025

UPDATE 2019-07-18 08:20 (UTC): Service restored

2019-07-01 12:00 (UTC)
Start van TimeNL - status OK.

Also see the user statistics.

A service provided by: