The nts package provides a client implementation of Network Time Security (NTS) for the Network Time Protocol (NTP). It enables the secure querying of time-related information that can be used to synchronize the local system clock with a more accurate network clock. See RFC 8915 for further details.

This package is implemented as an extension to the go-based simple ntp client package, but it may be used without directly installing that package.

Before requesting time synchronization data, you must first establish a "session" with an NTS key-exchange server.

session, err := nts.NewSession("time.cloudflare.com")

This is not a session in the typical sense of the word, which often implies a long-running network connection to a server. Rather, it is merely a collection of cryptographic keys and other state used to communicate securely with an NTS-capable NTP server. Once the session has been created, the network connection to the key-exchange server is immediately dropped and all future queries proceed via NTP using the session's query functions.

If you wish to customize the behavior of the session, you may do so by using NewSessionWithOptions instead of NewSession. For example:

opt := &nts.SessionOptions{
    TLSConfig: &tls.Config{
        RootCAs: certPool,
    },
    Timeout: 30 * time.Second,
    Dialer: customDialer,
    Resolver: customResolver,
}
session, err := nts.NewSessionWithOptions(host, opt)

See the documentation for SessionOptions for a list of available customizations.

After successful establishment of the session, you may issue NTP Query requests for time synchronization data.

if response, err := session.Query(); err != nil {
    accurateTime := time.Now().Add(response.ClockOffset)
    fmt.Printf("The current time is: %s\n", accurateTime)
}

In addition to the clock offset, the Response includes information you can use to tune future queries. For instance, it includes a Poll interval, which describes how long you should wait before querying again. The response also has a Validate function, which you can use to perform additional sanity checks on the data to determine whether it is suitable for time synchronization purposes.

err := response.Validate()
if err == nil {
    // response data is suitable for synchronization purposes
}

If you wish to customize the behavior of the query, you may do so by using QueryWithOptions instead of Query.

opt := &ntp.QueryOptions{ Timeout: 30 * time.Second }
response, err := session.QueryWithOptions(opt)

See the documentation for QueryOptions for a list of available customizations.

NTS is a relatively new protocol, having become an IETF RFC in September 2020. So there are a limited number of NTS key-exchange servers available for public use. You can find a list here. The NTP pool does not currently support NTS.

If you wish to operate your own NTS-capable NTP server, you may install NTPsec or Chrony.