NTP Guide

What you can do, in order of importance:

1. Infrastructure

   1. Set your edge router to use your chosen upstream server(s), and then serve that time from your router. Do not be rude and connect everything directly to a low-capacity upstream.
   2. Configure your edge router to capture all NTP traffic and serve it locally. This forces all clients to use your router as their NTP server without you having to configure even a single client, and in doing so gives all clients the same time source.
   3. When not physically connected to your router, always VPN into it so that you use your timeserver.
   4. Use NTS (NTPSec) from your router to upstream. This encrypts your NTP traffic and prevents MITM attacks. Not every timeserver supports NTS; even fewer clients do. NetNod and Chrony both support it.

2. Upstream timeserver selection

   1. If your clients do not support leap seconds, either use an upsteam server that smears leap seconds full-time or switch to it 12 hours before and after a leap-second, or configure your router to receive unsmeared time and serve smeared time, or turn off your unsupported devices shortly before 11:59:60-0000 on 2027-12-31, 2031-12-31, and 2035-12-31.
      • It is common for clients to not support leap seconds. This results in miniature Y2K-ish issues every 4 years. That is why smeared time was devised. Apparently leap seconds are going away by 2035, but that still means another two or three instances of these.
      • Smearing time yourself is advanced. It's not supported natively by Chrony, but it could probably be done by having one Chrony instance which receives true time and writes it to a tempfile, a leap-smearing daemon which reads that file and writes smeared time to another file, and a second Chrony instance which serves that smeared time to clients while pretending that leap seconds don't exist. You would then configure clients to ignore leap seconds.
   2. Do not mix smeared servers with unsmeared servers, as doing so will make your time inaccurate by up to 1 second every four years. That's a large amount to be off by.
      • Do not use pool.ntp.com: You have no idea what they're using as their time sources. You will end-up mixing smeared time and normal time if you use it.
   3. Don't use 2 servers; always use 1 or 3+; otherwise, you can't know which is wrong. Think about if you were wearing two watches and had to give the current time; it's the same problem.
      • Your router should use 3+ servers; your clients should use 1: your router.
   4. Use low-stratum upstream servers (They are close to their sources.).
      • NetNod runs a series of atomic clocks in underground bunkers across Sweden; these are free for public use so long as you limit how many clients you connect to them. NetNod is the highest-quality, most-accessible Stratum 1 server that I know of.
      • If you do not need super-accurate time, please use Stratum 2 servers so that you do not unnecessarily consume NetNod's limited but generously-offered resources.
   5. Avoid mixing servers from different stratums; Stratum 2 should always be more-accurate than Stratum 3, and mixing them kind of wastes your utilization of a lower stratum.
      • Do not use pool.ntp.com: You have no idea what stratum those servers are. You will end-up mixing stratums if you use it.

3. Daemon selection

   1. Use chronyd instead of ntpd or systemd-timesyncd; research has found chrony to be far-less-variable than ntpd, and systemd-timesyncd is really basic.
   2. Make your clients use chronyd.
   3. Min/max Chrony's config file on your router. Make sure your settings are not rude to your upstream servers.
   4. Min/max Chrony's config file on your clients.
   5. Use NTS from your clients to your router.