[Red White Blue ribbon]

TimeNL

Public NTP service

TimeNL

Is a Dutch internet time service, based on NTP (and PTP by arrangement). It's an initiative by SIDN Labs. This website gives full details of the stratum 1 NTP service, which you are warmly invited to use.

The Network Time Protocol (NTP) enables internet-connected computers to synchronise their system clocks, so that they are always accurate to within a millisecond. Stable and accurate timing is vital for all kinds of applications to function properly. Precise timing is needed to decide what order a series of events happened in, for example. It's also a fundamental aspect of transaction integrity, logging, auditing, troubleshooting and forensic research.

TimeNL has been set up by experts at SIDN Labs. It's available for anyone to use, free of charge. On this website, you'll find full details of the service, and advice on making the best possible use of it.

How do I set up my system to use TimeNL?

Select the system you want to work with TimeNL:

Settings OSX

On the screen above, you can specify multiple NTP servers, separated by commas. Alternatively, you can use the command line: enter systemsetup -setnetworktimeserver "ntp.time.nl" (then activate using systemsetup -setusingnetworktime on). Another option is to add multiple NTP servers directly to the /private/etc/ntp.conf file.



Settings Windows step 1

Settings Windows step 2

Settings Windows step 3

To set up an individual workstation, follow the steps illustrated above. If you are a system administrator, take a look at Microsoft's explanation of the Windows Time Service.



# Example 1: SIDN's ntp.time.nl as preferred NTP server (in pool mode)
pool ntp.time.nl iburst prefer
# Example 2: SIDN's ntp1.time.nl and ntp2.time.nl as NTP-server (in server mode)
server ntp1.time.nl iburst
server ntp2.time.nl iburst

# Example 3: SIDN's ntp.time.nl with authentication (not supported by default, but available by arrangement)
server ntp1.time.nl iburst key 1

Various NTP packages are available for Unix/Linux/BSD etc, including NTP, NTPsec, Chrony and OpenNTPD (where the 'pool' directive is called servers with an 's'). They usually have an ntp.conf file (also sometimes called ntpd.conf) for configuring the NTP server. See the example above, but consult the documentation for the relevant package as well, because there may be minor differences. For instance, Ubuntu works with timesyncd by default, which sometimes gets in the way when you want to use another NTP package as well. However, if you don't want another NTP package, adjusting timesyncd is straightforward. It essentially involves editing /etc/systemd/timesyncd.conf. See man timesyncd.conf. Further information is easy to find on the internet. With OpenNTPD weight is used insted of prefer.

Another option is not to work with a daemon, but to periodically synchronise your server with CRON. In the example below, we have opted for weekly synchronisation (at a fairly random time, not at minute '0', in order to avoid overload peaks). However, you can of course synchronise more often if you wish. Do not synchronise more than once an hour, though, and not on the hour, but at a randomly chosen time.

# Update ntpdate every Wednesday at 4 minutes past 11:00 am
04 11 * * 3 /usr/sbin/ntpdate ntp.time.nl 2>&1 >/dev/null
#


Cisco IOS and NX-OS:

router# config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)# no ntp server
router(config)# ntp server ntp.time.nl prefer
router(config)# copy running-config startup-config

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).

Juniper Junos:

system {
    ntp {
         server ntp.time.nl prefer;
    }
}

When following the example above, we recommend including a few other reliable stratum 1 servers in addition to ntp.time.nl (without the 'prefer' suffix).



FAQs

Click on a question to open the answer.

Answer: Because it fits in with our role.
SIDN Labs is SIDN's research team. As a team, we are strong advocates of internet improvement, security and innovation. And we actively contribute to realisation of those goals. As the administrator of the .nl country-code domain, we have a reputation to uphold. We ensure that the .nl domain names under our control are always universally reachable via the DNS (Domain Name System). The worldwide availability of the 6.2 million-plus .nl domain names is our top priority. We have therefore invested heavily in knowledge, expertise and robust infrastructure. We have extensive experience with the so-called 'public core of the internet', which the DNS is part of. We believe that (public) NTP may also be regarded as an infrastructure service. Setting up and maintaining an NTP service, and making it available free of charge to the internet community, is in line with our vision and a good fit with our other activities. We think that our experience and knowledge can really help to highlight the importance of NTP. We are therefore making this service freely available to everyone, for the good of the community. It will be delivered with the drive and commitment to quality that you are used to with .nl and our other services.

Report 'public core of the internet
Dutch internet time service?
As the registry for the .nl country-code domain, we are of course very proud of TimeNL. We regard it as the (albeit unofficial) 'Dutch internet time service', comparable to the national time services for the the United Kingdom,New Zealand, Sweden, Belgium, Germany and the United States.


Answer: We have done our best to set up a reliable and reliable NTP service.

You can expect us to make every reasonable effort to offer and maintain a good quality NTP service. We invest in knowledge and expertise, infrastructure, security, up-to-date software, support for modern standards, capacity and quality monitoring. The basic service is freely available to everyone, both using IPv4 and using IPv6. Specialist services such as authenticated NTP are available by arrangement. However, we may choose to charge for such services.

Naturally, we keep an eye out for abuse,[*] which we are not prepared to tolerate. If you abuse the service, we may use filtering or rate limiting technology to restrict or block your access. We also do everything we can to prevent abuse by technical and legal means.

Furthermore, if you are unable to make (full) use of our service, we accept no liability for the consequences. You use TimeNL at your own risk, and you accept personal responsibility for your use of the service. We accordingly advise you not to rely solely on our NTP service. Where appropriate, for example, you should set up two third-party NTP services within your own stratum. If you have any questions, we are happy to give advice. In due course, we may expand our capacity and offer several separate NTP servers, so that the service becomes fully dependable. We reserve the right to make changes to our service without notice. Normally, however, we will announce changes well in advance, using this website and/or our social media channels.

[*] We operate a fair usage policy. The default settings in most NTP software will ensure that you remain well within the limits defined in that context, for example with a poll interval of 1024s. If you work via a cron job, an interval of 1 x per 30 minutes is probably more than sufficient. Under non-standard circumstances, it's okay to query our server more often for a while. But don't overdo it.



Answer: Nothing very special. Details of what you can expect from us are given in answer about service levels. If you supply products that incorporate an NTP server, you should take a look at the answer to the question about that as well. The only other bit of small print is this:

Disclaimer
Although we take great care when developing our experimental services, we cannot guarantee that this service will always function properly. Use of the service is entirely at the user's risk. Neither SIDN nor SIDN Labs is liable for any damages suffered as a consequence of using (or being unable to use) any of its experimental or other services. We reserve the right to withdraw this service at any time, without notice.



Answer: Of course, TimeNL isn't the only NTP service available on the internet. Fortunately. There are quite a few alternatives. Nevertheless, there are a few things that distinguish our service from others:

  • Provided by SIDN, the trusted company behind .nl: a stable organisation with a lot of operational know-how and ISO 27001 certified.
  • From the Netherlands, for the Netherlands - developed with care and managed by driven, curious nerds (😉) who care about 'the public core of the internet'. For details, take a look at the 'Features and background information' section and the answer to the question 'What service levels can I expect?'
  • Not operated by a big tech company, but by an accessible service provider: an organisation you can call or e-mail with questions, and trust to respect your privacy.
  • More secure, because it offers Network Time Security (NTS) and, by arrangement, authenticated NTP and because time.nl is DNSSEC-enabled.
  • Not dependent exclusively on the American GPS system: TimeNL also uses the European Galileo and the German DCF077 signal, for example
  • Up-to-date software; we will patch to the latest version of the firmware as soon as we can. That sounds logical, but that does not happen everywhere and always.
  • Rubidium based atomic holdover clock.
  • BGP anycast.
  • Accessible using IPv4 and, of course, IPv6.
GNSS and DCF77 antennas on the roof of SIDN


NTP stratum Answer: That depends partly on how big your company is. One option is for all your users to communicate with our NTP server independently. However, if you have a lot of users, it may be better to configure your own internal NTP server and let individual users synchronise their time with it. In a set-up like that, your server is called a stratum 2 server. A stratum 2 server gets its time from one or more stratum 1 servers, such as ours. The advantages are that there is less load on our server, and, if you use a firewall, you don't have to open it for every user. In a very large environment, a third stratum can be added, as illustrated.

The yellow arrows indicate direct links to reference clocks. Our stratum 1 server has links to reference clocks. The red arrows indicate network (i.e. internet) connections to 'parent' servers. Those connections enable your stratum 2 or 3 server(s) to retrieve their time from stratum 1 servers, including ours.

It's usually a good idea not to rely on a single NTP server for time synchronization. Until we have expanded our server park, we recommend that you configure your system to use multiple NTP servers, including other Dutch servers. Here are some of the options:

  • chime1.surfnet.nl
  • time1.esa.int
  • ntp.vsl.nl
  • ntp.ripe.net

The symbol next to each server indicates the type of (primary) reference clock the system is likely to use: represents GNSS (exclusively GPS, as far as we know) and represents an atomic clock. There are many more good NTP servers, both in the Netherlands and in neighboring countries. The ones listed above are only suggestions.



Answer: It's against our terms of use to hard code 'ntp.time.nl' into the firmware of products marketed on a large scale, for example. If you want to do anything like that, please contact us first. We follow the same policy as the NTP pool project. Which means we reserve a special name for your application ('ntp.brandname.time.nl') and liaise with you about your needs, so that we can better anticipate the risk of capacity overruns.



Answer: We should start by stressing that we aren't lawyers. But we can tell you that NTP is on the comply-or-explain list published by the Dutch government's Forum for Standardisation. That may mean that you have to ensure effective NTP time synchronisation on your network, and our service can be very useful for that. Proper time synchronisation is also an ISO-27001 certification requirement.

In the Netherlands and other countries, quality requirements have been or are being considered for time synchronisation. Requirements have also been made at the European level and by the Dutch Radiocommunications Agency. See, for example, paragraph 4.15 of this document. . Those requirements can, of course, be met by using our NTP service. You may also find this document interesting. And, if you're actually an expert in this field, feel free to bring us up to speed with anything we might be missing. We're always eager to learn!



Answer: We take privacy and the GDPR very seriously. We don't retain your personal data (IP address) and we don't use your data for anything other than maintaining and optimising this service and to improve NTP in general. Read more about our privacy policies on the site of our privacy board. Please be advised that the Dutch version of this site has more detail.



Answer: We'll keep you informed about this service via this website, the SIDN Labs website, Twitter and sometimes also the SIDN corporate website.



Answer:



Answer: The domain name used for this service, 'time.nl', is secured with DNSSEC. So, if your system supports DNSSEC, you can be confident that you won't be directed to a false IP address when you navigate to 'ntp.time.nl'. It's worth noting that accurate timing is needed for DNSSEC to work properly. So a chicken-and-egg problem can sometimes arise. For instance, when a system without an embedded Real Time Clock (RTC) starts up, it may have no idea of the time; it may think it's 1-1-1970, for example. If it then attempts to validate the IP address of 'ntp.time.nl' using DNSSEC, the validation will fail. Solutions for that scenario have been devised, but it remains an issue. With systems that are already (roughly) synchronised, that shouldn't be a problem.



Answer: Authenticated NTP isn't a feature of the basic (free and anonymous) public service. However, authentication based on symmetric keys is available to registered users by arrangement. If you'd like authentication, please get in touch and explain the background. We'll then decide whether we can provide the service, and whether we can do that for free (we may need to ask a modest fee). If we go ahead, certain conditions will apply. For example, we don't use an MD5 algorithm for our keys. We don't think that the 'autokey' protocol is secure enough, either. If you use OpenNTPd, 'TLS constraints' may still be an option for you. We also support the Network Time Security (NTS) protocol. See below.



Answer: Network Time Security (NTS) is a relatively new standard for which we have been offering support for some time in the form of a pilot. However, since the beginning of 2022, NTS has also been available in our production environment. See https://nts.time.nl.



Answer: No, there is no support for 'roughtime' just yet.



Answer: The Precision Time Protocol (PTP) is an even more accurate form of time synchronisation, with very specific applications. We don't offer PTP as standard, but it can be enabled by arrangement. If you're interested, please get in touch.



Answer: That is our public NTP server based on anycast. It consists of dozens of servers, spread all over the world. Depending on where you are in the world, you'll end up with the closest server to sync your time with. It is configured on our anycast testbed. We receive thousands of NTP queries from all over the world on this anycast testbed, because the system is part of the NTP pool.



Answer: Those are also public NTP servers (based on unicast). They are powerful systems that can handle a lot of NTP queries which are part of the NTP pool. Besides NTP, they also support NTS (RFC8915).



Answer: We did consider a running clock, but we wanted to make our website attractive. We didn't want a simple JavaScript thing that would only show the local time on your computer, even if it's wrong. So we looked at having a clock from which you could see whether your PC clock was right. But then we found out that our friends at the German PTB had already created something like that which we weren't going to beat. If your device is in sync, you might want to take a look at this station clock.



Features and background information

TimeNL from SIDN Labs is a stratum 1 NTP service based on multiple very precise atomic reference clocks. Our server is synchronised not only with the American GPS system, but also with the European Galileo GNSS. Unlike many other NTP services, we are not therefore fully dependent on an American system. As a first backup, we also synchronise with the German DCF077 radio signal. And as a second backup, we synchronise with atomic clocks in the Netherlands (including the VSL atomic clock in Delft) and in Belgium as well. In addition, our service is equipped with a rubidium atomic holdover clock. Our hardware automatically ensures that the most accurate reference clock is always chosen (for enthusiasts: we use hardware from Meinberg). Our servers are accessible over a good (multi-homed) internet connection, using either IPv4 or IPv6. We are therefore able to offer very precise time synchronisation to a large number of users.

A couple more points of interest: first, we don't do 'leap smearing'. Second, (some of) our servers are part of the NTP pool project. There is lots more that we might add, and we're bound to be sharing ideas and information quite regularly from now on. So keep an eye on this site and let us know if you have any questions. See also the 'FAQs' above.

Arnold pocket watch

Operational status

A manual message from the operator:
Fri May 20 08:53:02 UTC 2022
ℹ️ Nothing to report.
Server status from an automated system:
Fri May 20 08:53:02 UTC 2022
✅ OK.
ServerStatus
ntp1.time.nl OK
ntp2.time.nl OK
A service provided by: