fflo/ntpsec-ntpdig

By fflo

Updated 3 months ago

NTPsec ntpdig utility with NTS support (Network Time Security)

Image
Networking
Security
0

241

fflo/ntpsec-ntpdig repository overview

NTPsec ntpdig (NTS-enabled)

A lightweight, non-root Docker image for testing public NTP servers with Network Time Security (NTS) support. Based on the latest NTPsec (1.2.4) on Debian Sid.

Features

  • NTS Ready: Full support for the Network Time Security protocol.
  • JSON by Default: Outputs structured data for easy integration and parsing.
  • Clean Output: Automatically filters out "Operation not permitted" errors (since containers are restricted from setting the host's system clock).
  • Security: Runs as a non-privileged user (ntpuser).
  • Multi-Arch: Native support for amd64, arm64 (Apple Silicon), and arm/v7.

Supported Platforms

This image is built for multiple architectures. Docker will automatically pull the correct version for your hardware:

  • linux/amd64: Standard 64-bit PCs, Servers, and Cloud instances.
  • linux/arm64: Apple Silicon (M1/M2/M3), AWS Graviton, and modern Raspberry Pi (64-bit).
  • linux/arm/v7: Older Raspberry Pi models (Pi 2, Pi 3) and other 32-bit ARM devices.

Usage

Basic Query (Single Server)

Note: Use only the raw hostname. Do not use prefixes like ://.

docker run --rm fflo/ntpsec-ntpdig:latest -S time.cloudflare.com
Debugging NTS Handshake

To inspect the TLS handshake (port 4460) and verify NTS cookie establishment:

docker run --rm fflo/ntpsec-ntpdig:latest -d -S time.cloudflare.com
Comparing Multiple Servers (Sorted)

Use this loop to query multiple servers and sort the output. This is great for finding the source with the most consistent timing:

for server in time.cloudflare.com time.nist.gov ptbtime1.ptb.de ntp.jst.mfeed.ad.jp ntp1.fau.de; do
  docker run --rm fflo/ntpsec-ntpdig:latest -S $server
done | sort -t: -k2 -n

Performance Comparison Script

A more targeted script to compare specific high-precision NTS sources:

for server in time.cloudflare.com time.nist.gov ptbtime1.ptb.de ntp.jst.mfeed.ad.jp ntp1.fau.de; do
  echo -n "$server: "
  docker run --rm fflo/ntpsec-ntpdig:latest -S $server | \
  grep -o '"offset":[0-9.-]*,"precision":[0-9.-]*,"host":"[^"]*","ip":"[^"]*","stratum":[0-9]*'
done
Pretty ASCII Table Output

If you have jq installed on your host, you can generate a clean, human-readable table:

for server in time.cloudflare.com time.nist.gov ptbtime1.ptb.de ntp.jst.mfeed.ad.jp ntp1.fau.de; do
  docker run --rm fflo/ntpsec-ntpdig:latest -S $server
done | jq -Rr 'fromjson? | [.host, .offset, .delay, .precision, .stratum] | @tsv' | \
  (echo -e "Host\tOffset\tDelay\tPrecision\tStratum" && sort -t$'\t' -k3 -n) | column -t -s $'\t'
ProviderHostnameLocation
Cloudflaretime.cloudflare.comGlobal (Anycast)
NISTtime.nist.govUSA
PTBptbtime1.ptb.deGermany (Braunschweig)
MFEEDntp.jst.mfeed.ad.jpJapan (Tokyo)
FAUntp1.fau.deGermany (Erlangen)

Troubleshooting

  • "Name or service not known": Double-check that you are using raw hostnames (e.g., time.cloudflare.com) and not URLs.
  • Firewall: Ensure outgoing TCP 4460 (NTS-KE) and UDP 123 (NTP) are allowed.

License

This project is licensed under the MIT License. NTPsec components are used under their respective NTP/BSD licenses.

Tag summary

Content type

Image

Digest

sha256:836bf2e6a

Size

41.6 MB

Last updated

3 months ago

docker pull fflo/ntpsec-ntpdig:1.2.4