Public UTC Smear

Recommended public NTP and NTS endpoint. Leap seconds are smeared over a gradual window so time stays monotonic across the boundary.

Overview · Smear · Leap

Hostnamesmear.public-utc.com
ProtocolsNTP (RFC 5905), NTS (RFC 8915)
NetworkIPv4 and IPv6
LoggingNone
Stratum2
Leap-second policyGradual smear (recommended)

Quick Start

Add one line to your NTP client and restart. Use NTS when your client supports it. See Leap if your stack requires leap seconds passed through as a one-second step.

server smear.public-utc.com iburst nts
# Linux (systemd)
sudo systemctl restart chronyd

# FreeBSD
sudo service chronyd restart

# Verify
chronyc -N authdata
chronyc sources -v
chronyc tracking

Endpoints

ServiceAddress
NTS-secured NTPsmear.public-utc.com
Plain NTPsmear.public-utc.com (UDP 123)
NTS-KETCP 4460 (TLS)
IPv437.27.126.88
IPv62a01:4f9:3070:306a::88

The apex public-utc.com serves this website only — it is not an NTP endpoint.

chrony (Linux, FreeBSD, macOS)

Add to /etc/chrony/chrony.conf (Linux) or /usr/local/etc/chrony.conf (FreeBSD):

server smear.public-utc.com iburst nts

Restart chronyd, then run chronyc -N authdata to confirm NTS mode.

ntpsec

Add to /etc/ntp.conf:

server smear.public-utc.com iburst nts
sudo systemctl restart ntpsec
ntpq -p
ntpq -c "rv 0 nts"

Other Clients

Plain NTP (no NTS)

Use only on trusted networks.

server smear.public-utc.com iburst

systemd-timesyncd

timesyncd does not support NTS — use chrony for authenticated time.

[Time]
NTP=smear.public-utc.com
sudo systemctl restart systemd-timesyncd
timedatectl timesync-status

Windows (w32time)

The built-in Windows Time service does not support NTS.

w32tm /config /manualpeerlist:"smear.public-utc.com" /syncfromflags:manual /update
w32tm /resync

For authenticated time on Windows, install chrony under WSL.

One-off check

chronyc -N -h smear.public-utc.com tracking
ntpdate -q smear.public-utc.com
sntp smear.public-utc.com

Verifying NTS

After configuring chrony with nts, run chronyc -N authdata. You should see smear.public-utc.com with mode NTS, a non-zero KeyID, and cookies remaining greater than zero.

Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
smear.public-utc.com         NTS     1   15  256   33    0    0    8  100

Leap-Second Policy

The Smear endpoint spreads each leap-second adjustment over a gradual window (leapsecmode slew with smoothtime) rather than stepping the clock at the UTC boundary. That keeps local time monotonic — fewer surprises for applications, logs, TLS stacks, databases, and distributed ordering.

This is the recommended default for most hosts. Do not configure leap.public-utc.com on the same machine; the two variants implement different policies and will disagree at the boundary.

Troubleshooting

NTS-KE handshake fails

Confirm outbound TCP port 4460 is permitted. Corporate TLS-intercepting middleboxes will break NTS-KE. If interception is required, use plain NTP and understand the security trade-off.

Initial sync requires a roughly correct clock

NTS-KE validates TLS certificate dates. If your clock is off by months or years, bootstrap with plain NTP first (or set the clock manually), then enable NTS.

TLS certificate looks invalid

The certificate covers smear.public-utc.com. Set SNI / hostname explicitly when connecting by IP. If rejected as not yet valid or expired, your system clock is wrong — bootstrap with plain NTP and retry.

Rate limited

Normal client polling intervals (64–1024 seconds) will not hit the limit. Aggressive polling may be dropped.