Public UTC Leap

Public NTP and NTS endpoint with leap seconds passed through without smearing. Leap seconds appear as a one-second step at the UTC boundary.

Overview · Smear · Leap

Hostnameleap.public-utc.com
ProtocolsNTP (RFC 5905), NTS (RFC 8915)
NetworkIPv4 and IPv6
LoggingNone
Stratum2
Leap-second policyPassed through (no smear)

Quick Start

Add one line to your NTP client and restart. Use NTS when your client supports it. Most hosts should use Smear instead — only use Leap when your stack explicitly requires pass-through leap seconds.

server leap.public-utc.com iburst nts
# Linux (systemd)
sudo systemctl restart chronyd

# FreeBSD
sudo service chronyd restart

# Verify
chronyc -N authdata
chronyc sources -v
chronyc tracking

Endpoints

ServiceAddress
NTS-secured NTPleap.public-utc.com
Plain NTPleap.public-utc.com (UDP 123)
NTS-KETCP 4460 (TLS)
IPv437.27.126.87
IPv62a01:4f9:3070:306a::87

The apex public-utc.com serves this website only — it is not an NTP endpoint.

chrony (Linux, FreeBSD, macOS)

Add to /etc/chrony/chrony.conf (Linux) or /usr/local/etc/chrony.conf (FreeBSD):

server leap.public-utc.com iburst nts

Restart chronyd, then run chronyc -N authdata to confirm NTS mode.

ntpsec

Add to /etc/ntp.conf:

server leap.public-utc.com iburst nts
sudo systemctl restart ntpsec
ntpq -p
ntpq -c "rv 0 nts"

Other Clients

Plain NTP (no NTS)

Use only on trusted networks.

server leap.public-utc.com iburst

systemd-timesyncd

timesyncd does not support NTS — use chrony for authenticated time.

[Time]
NTP=leap.public-utc.com
sudo systemctl restart systemd-timesyncd
timedatectl timesync-status

Windows (w32time)

The built-in Windows Time service does not support NTS.

w32tm /config /manualpeerlist:"leap.public-utc.com" /syncfromflags:manual /update
w32tm /resync

For authenticated time on Windows, install chrony under WSL.

One-off check

chronyc -N -h leap.public-utc.com tracking
ntpdate -q leap.public-utc.com
sntp leap.public-utc.com

Verifying NTS

After configuring chrony with nts, run chronyc -N authdata. You should see leap.public-utc.com with mode NTS, a non-zero KeyID, and cookies remaining greater than zero.

Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
leap.public-utc.com          NTS     1   15  256   33    0    0    8  100

Leap-Second Policy

The Leap endpoint passes leap seconds through without smearing (leapsecmode ignore). At a leap-second boundary the clock steps by one second, matching the behaviour of the upstream national metrology institutes we discipline against.

Use this variant only when your stack explicitly requires that behaviour. For most hosts, Smear is the better fit. Do not configure both hostnames on the same machine.

Troubleshooting

NTS-KE handshake fails

Confirm outbound TCP port 4460 is permitted. Corporate TLS-intercepting middleboxes will break NTS-KE. If interception is required, use plain NTP and understand the security trade-off.

Initial sync requires a roughly correct clock

NTS-KE validates TLS certificate dates. If your clock is off by months or years, bootstrap with plain NTP first (or set the clock manually), then enable NTS.

TLS certificate looks invalid

The certificate covers leap.public-utc.com. Set SNI / hostname explicitly when connecting by IP. If rejected as not yet valid or expired, your system clock is wrong — bootstrap with plain NTP and retry.

Rate limited

Normal client polling intervals (64–1024 seconds) will not hit the limit. Aggressive polling may be dropped.