--- title: Cloudflare Time Services description: Learn more about Cloudflare’s suite of time services. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Time Services Learn more about Cloudflare’s suite of time services. * [ Network Time Protocol ](https://developers.cloudflare.com/time-services/ntp/) * [ Network Time Security ](https://developers.cloudflare.com/time-services/nts/) * [ Roughtime ](https://developers.cloudflare.com/time-services/roughtime/) * [ Terms of use ](https://developers.cloudflare.com/time-services/tos/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}}]} ``` --- --- title: Network Time Protocol description: Network Time Protocol (NTP) is an Internet protocol designed to synchronize time between computer systems communicating over unreliable and variable-latency network paths. Cloudflare offers its version of NTP for free so you can use our global anycast network to synchronize time from our closest server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/ntp/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network Time Protocol [Network Time Protocol ↗](https://tools.ietf.org/html/rfc1305) (NTP) is an Internet protocol designed to synchronize time between computer systems communicating over unreliable and variable-latency network paths. Cloudflare offers its version of NTP for free so you can use our [global anycast network ↗](https://www.cloudflare.com/network/) to synchronize time from our closest server. ## Background NTP works by having a client send a query packet out to an NTP server that then responds with its clock time. The client then computes an estimate of the difference between its clock and the remote clock and attempts to compensate for any network delay. The NTP client then queries multiple servers and implements algorithms to select the best estimate. Cloudflare does not implement leap smearing: NTP includes a Leap Indicator field [spec ↗](https://tools.ietf.org/html/rfc5905#section-7.3) and the kernel will apply the leap second correction at the appropriate time. This is the behavior servers in `pool.ntp.org` share. Using servers that smear time along with servers that do not may lead to unpredictable and anomalous results. ## Next steps For more background information about NTP, refer to the [introductory blog ↗](https://blog.cloudflare.com/secure-time/). To enable NTP on your device, refer to our [Usage guide](https://developers.cloudflare.com/time-services/ntp/usage/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/ntp/","name":"Network Time Protocol"}}]} ``` --- --- title: User Guide description: Network Time Protocol (NTP) is an Internet protocol designed to synchronize time between computer systems communicating over unreliable and variable-latency network paths. Cloudflare offers its version of NTP for free so you can use our global anycast network to synchronize time from our closest server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/ntp/usage.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # User Guide [Network Time Protocol ↗](https://tools.ietf.org/html/rfc1305) (NTP) is an Internet protocol designed to synchronize time between computer systems communicating over unreliable and variable-latency network paths. Cloudflare offers its version of NTP for free so you can use our [global anycast network ↗](https://www.cloudflare.com/network/) to synchronize time from our closest server. To use our NTP server, change the time configuration in your device to point to `time.cloudflare.com`. ## macOS To have your Mac to synchronize time from `time.cloudflare.com`: 1. Go to **System Settings**. 2. Go to **General** \> **Date & Time**. 3. Enable **Set date and time automatically**. 4. For **Source**, select **Set...** and enter `time.cloudflare.com` in the text field that appears. ![Screenshot of updating the Date & Time settings on machine running macOS](https://developers.cloudflare.com/_astro/mactime.DBCp2s9r_Rw5nr.webp) ## Windows To have your Windows machine synchronize time from `time.cloudflare.com`: 1. Go to **Control Panel**. 2. Go to **Clock and Region**. 3. Click **Date and Time**. 4. Go to the **Internet Time** tab. 5. Click **Change settings..** 6. For **Server:**, type `time.cloudflare.com` and click **Update now**. 7. Click **OK**. ![Screenshot of updating the Date and Time settings on machine running Windows](https://developers.cloudflare.com/_astro/window.g3wVkbhY_Z1SBzSp.webp) ## Linux Cloudflare's time servers are included in [pool.ntp.org ↗](https://www.ntppool.org/en/) which is the default time service for many Linux distributions and network appliances. If your NTP client is synchronizing from one of the below servers, you are already using Cloudflare's time services. * [162.159.200.1 ↗](https://www.ntppool.org/scores/162.159.200.1) * [162.159.200.123 ↗](https://www.ntppool.org/scores/162.159.200.123) * [2606:4700:f1::1 ↗](https://www.ntppool.org/scores/2606:4700:f1::1) * [2606:4700:f1::123 ↗](https://www.ntppool.org/scores/2606:4700:f1::123) To manually configure your NTP client to use our time service, please first refer to the documentation for your Linux distribution to determine which NTP client you are using and where the configuration files are stored. For example: * [Ubuntu ↗](https://ubuntu.com/server/docs/about-time-synchronisation) * [Debian ↗](https://wiki.debian.org/NTP) * [RHEL ↗](https://access.redhat.com/documentation/en-us/red%5Fhat%5Fenterprise%5Flinux/7/html/system%5Fadministrators%5Fguide/ch-configuring%5Fntp%5Fusing%5Fthe%5Fchrony%5Fsuite) Exact configuration will vary by Linux distribution, but below are some example configurations for popular clients: ### [chrony ↗](https://chrony-project.org) 1. Add `time.cloudflare.com` as a server in the configuration file on your system (e.g., `/etc/chrony/chrony.conf`) ``` server time.cloudflare.com iburst ``` 2. Restart the chronyd service. ``` systemctl restart chronyd ``` ### [systemd-timesyncd ↗](https://man7.org/linux/man-pages/man5/timesyncd.conf.5.html) 1. Add `time.cloudflare.com` to the `[Time]` section of the configuration file on your system (e.g., `/etc/systemd/timesyncd.conf`) ``` [Time] NTP=time.cloudflare.com ``` 2. Restart the systemd-timesyncd service. ``` systemctl restart systemd-timesyncd ``` ### [ntpd ↗](https://linux.die.net/man/5/ntp.conf) 1. Add `time.cloudflare.com` as a server in the configuration file on your system (e.g., `/etc/ntp.conf`) ``` server time.cloudflare.com iburst ``` 2. Restart the ntpd service. ``` systemctl restart ntpd ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/ntp/","name":"Network Time Protocol"}},{"@type":"ListItem","position":4,"item":{"@id":"/time-services/ntp/usage/","name":"User Guide"}}]} ``` --- --- title: Network Time Security description: Network Time Security (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This allows users to obtain time in an authenticated manner. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/nts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network Time Security [Network Time Security ↗](https://datatracker.ietf.org/doc/html/rfc8915) (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This allows users to obtain time in an authenticated manner. ## Background The NTS protocol is divided into two phases: 1. **NTS Key Exchange**: Establishes the necessary key material between the NTP client and the server, using a [Transport Layer Security (TLS) handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) (the same public key infrastructure as the web). Once the keys are exchanged, the TLS channel is closed and the protocol enters the second phase. 2. **NTS Extension Fields for NTPv4**: Authenticates NTP time synchronization packets using previously established key material. For more information, refer to [RFC 8915 ↗](https://tools.ietf.org/html/rfc8915). ## Next steps NTS is gaining support in many NTP implementations, including [Chrony ↗](https://chrony-project.org/documentation.html), [NTPsec ↗](https://www.ntpsec.org/), and [ntpd-rs ↗](https://github.com/pendulum-project/ntpd-rs). Read the relevant documentation for guidance on setting them up to point to our time service, `time.cloudflare.com`. Also see [Netnod's documentation ↗](https://www.netnod.se/netnod-time/how-to-use-nts) for configuring NTS clients. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/nts/","name":"Network Time Security"}}]} ``` --- --- title: Roughtime description: Roughtime is a simple, flexible, and secure authenticated time protocol developed by Google. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/roughtime/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roughtime [Roughtime ↗](https://roughtime.googlesource.com/roughtime) is a simple, flexible, and secure authenticated time protocol developed by Google. ## Background Endpoints on the Internet often synchronize their clocks using the [Network Time Protocol (NTP)](https://developers.cloudflare.com/time-services/ntp/). NTP provides precise synchronization, but is frequently deployed without a means of authentication. This is due to a [combination of issues ↗](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/dowling). As a result, a man-in-the-middle attacker can easily influence a victim’s clock. By moving them back in time, the attacker can, for example, force a victim to accept an expired (and possibly compromised) TLS certificate or session ticket. For many applications, _precise_ network time is not essential. It is sufficient to have _accurate_ time to mitigate these kinds of attacks, such as within 10 seconds of real time. This observation is the primary motivation behind Roughtime. ## Next steps For more technical details on Roughtime, refer to the [introductory blog post ↗](https://blog.cloudflare.com/roughtime/). To get started, refer to [Get the Roughtime](https://developers.cloudflare.com/time-services/roughtime/usage/). For more practical guidance on using the Roughtime, refer to our [how-to guide](https://developers.cloudflare.com/time-services/roughtime/recipes/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/roughtime/","name":"Roughtime"}}]} ``` --- --- title: Server Deprecation description: Once their deprecation date has passed, both the port and public key associated to a server will become unavailable. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/roughtime/deprecation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Server Deprecation Once their deprecation date has passed, both the port and public key associated to a server will become unavailable. | Server | Public Key | Deprecation date | | ----------------------------- | -------------------------------------------- | ---------------- | | roughtime.cloudflare.com:2002 | gD63hSj3ScS+wuOeGrubXlq35N1c5Lby/S+T7MNTjxo= | 2024-06-30 | Available servers are [listed in our tutorial](https://developers.cloudflare.com/time-services/roughtime/usage/), and you can follow it on how to configure your Roughtime server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/roughtime/","name":"Roughtime"}},{"@type":"ListItem","position":4,"item":{"@id":"/time-services/roughtime/deprecation/","name":"Server Deprecation"}}]} ``` --- --- title: Use Roughtime description: There are various ways you can use Roughtime to keep your clock in sync. These recipes use Cloudflare's Go package, which is based on Google's Go client. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/roughtime/recipes.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use Roughtime There are various ways you can use Roughtime to keep your clock in sync. These recipes use [Cloudflare's Go package ↗](https://github.com/cloudflare/roughtime), which is based on Google's [Go client ↗](https://roughtime.googlesource.com/roughtime/+/master/go/client/). The protocol is also implemented in [C++ ↗](https://roughtime.googlesource.com/roughtime/+/master), [Rust ↗](https://github.com/int08h/roughenough), and[Java ↗](https://github.com/int08h/nearenough). ## Client configuration The client configuration consists of a list of named Roughtime servers formatted as a JSON object. For example: ``` { "servers": [ { "name": "Cloudflare-Roughtime-2", "publicKeyType": "ed25519", "publicKey": "0GD7c3yP8xEc4Zl2zeuN2SlLvDVVocjsPSL8/Rl/7zg=", "addresses": [ { "protocol": "udp", "address": "roughtime.cloudflare.com:2003" } ] } ] } ``` It includes each server's _root public key_. When the server starts, it generates an _online_ public/secret key pair. The root secret key is used to create a _delegation_ for the online public key and the online secret key is used to sign the response. The delegation serves the same function as a traditional [X.509 certificate ↗](https://en.wikipedia.org/wiki/X.509) on the web. The client first uses the root public key to verify the delegation, then uses the online public key to verify the response. Because the response is _auditable_, the protocol makes each client accountable to provide accurate time. The configuration also encodes the type of signature algorithm used by the server (currently only [Ed25519 ↗](https://en.wikipedia.org/wiki/EdDSA) is supported). Lastly, the configuration contains a list of addresses where the service can be reached and which transport protocol to use to reach them (currently only UDP is supported). ## TLS A good starting example would be to sync a TLS client or server using a single Roughtime server. That would involve computing the time difference between our clock and the Roughtime sever's. The first step is to load the configuration file (be sure to import `github.com/cloudflare/roughtime`): ``` servers, skipped, err := roughtime.LoadConfig("roughtime.config") ``` In this example, the variable `servers` is the list of valid server configurations parsed from the input file. The variable `skipped` indicates the number of servers that were skipped, for example, if the signature algorithm or transport protocol was not supported. Next, we would get the system time and query the first server in the list: ``` t0 := time.Now() rt, err := roughtime.Get(&servers[0], attempts, timeout, nil) ``` This sends a request to the server and verifies the response. The variable `rt` is of type `*roughtime.Roughtime` and represents the result of the query. The inputs are: 1. The server's configuration. 2. The number of attempts to dial the server. 3. The time to wait for each dial attempt. 4. An optional `*roughtime.Roughtime`, the result of a prior query. If the last parameter is provided, then it's used generate the nonce for the request (more on this later). The `crypto/tls` package allows the user to[specify a callback ↗](https://golang.org/pkg/crypto/tls/#Config) for the current time to use when validating certificates, session tickets, etc. You can compute this callback as follows: ``` t1, radius := rt.Now() delta := t1.Sub(t0.Now()) now := func() time.Time { return time.Now().Add(delta) } ``` The variable `t1` is the time reported by the server and `radius` is the server's uncertainty radius. For a full working example, check out our[GitHub ↗](https://github.com/cloudflare/roughtime/blob/master/recipes/tls.go). ## Desktop alerts A more general way to use Roughtime is to create desktop alerts that warn you when your clock is skewed. On Ubuntu GNU/Linux, you can do something like this: ``` skew := time.Duration(math.Abs(float64(delta))) if skew > 10*time.Second { summary := "Check your clock!" body := fmt.Sprintf("%s says it's off by %v.", servers[0].Name, skew) cmd := exec.Command("notify-send", "-i", "clock", summary, body) if err := cmd.Run(); err != nil { // error handling ... } } ``` For a full working example, check out our [GitHub ↗](https://github.com/cloudflare/roughtime/tree/master/recipes/alerter.go) (tested on Ubuntu 18.04). You would run this program as a cron job to periodically check that your clock is in sync. ## Using multiple sources Using multiple sources for Roughtime is easy (and highly recommended): ``` t0 := time.Now() res := roughtime.Do(servers, attempts, timeout, nil) ``` The first parameter is a sequence of servers and the remaining parameters are the same as in `roughtime.Get()`. This queries each server in the sequence `servers` in order. The output `res` is a slice the same length as `servers`. Each element represents the result of the query to the server. If the query was successful, then the result contains the server's time. If unsuccessful, then the result contains the error that occurred. To compute the median difference between your clock and the valid responses: ``` thresh := 10 * time.Second delta, err := roughtime.MedianDeltaWithRadiusThresh(res, t0, thresh) ``` This rejects responses whose uncertainty radii exceed 10 seconds. An error will be returned if there were no valid responses. ### Auditing Your Sources Function `roughtime.Do()` chains together valid responses, generating each nonce using the server's response in the last successful query. As we discuss in more detail in the [blog ↗](https://blog.cloudflare.com/roughtime/), linking queries together in this manner results in cryptographic proof that the queries were made in order. To verify that the results have this property, you can do the following: ``` chain := roughtime.NewChain(results) ok, err := chain.Verify(nil) if err != nil || !ok { // error handling ... } ``` The variable `chain` is a structure that contains the first successful query in `results`. It has a field, `chain.Next`, that points to the next successful query. The input parameter to `Verify()` allows you to use a previous result as a starting point for verifying the chain. For example, if `chain.Verify(nil)` is valid, then `chain.Next.Verify(chain.Roughtime)` will be valid, too. ### Being Verbose It is possible to have `roughtime.Do()` output useful information as it executes its queries. To do so, invoke `roughtime.SetLogger()` to set a logger. For example: ``` roughtime.SetLogger(log.New(os.Stdout, "", 0)) ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/roughtime/","name":"Roughtime"}},{"@type":"ListItem","position":4,"item":{"@id":"/time-services/roughtime/recipes/","name":"Use Roughtime"}}]} ``` --- --- title: Get the Roughtime description: The "Hello, world!" of Roughtime is very simple: the client sends a request over UDP to the server and the server responds with a signed timestamp. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/roughtime/usage.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get the Roughtime The "Hello, world!" of Roughtime is very simple: the client sends a request over UDP to the server and the server responds with a signed timestamp. You just need the server's address and public key to run the protocol: * **Server address**: `roughtime.cloudflare.com:2003` (resolves to an IP address in our [anycast IP range ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/)). You can use either IPv4 or IPv6. * **Public key**: `0GD7c3yP8xEc4Zl2zeuN2SlLvDVVocjsPSL8/Rl/7zg=` To get started, download and run Cloudflare's [Go client ↗](https://github.com/cloudflare/roughtime): ``` go install github.com/cloudflare/roughtime/cmd/getroughtime@latest getroughtime -ping roughtime.cloudflare.com:2003 -pubkey 0GD7c3yP8xEc4Zl2zeuN2SlLvDVVocjsPSL8/Rl/7zg= ``` ## Beta notice Cloudflare Roughtime is currently in beta. As such, our root public key may change in the future. We will keep this page up-to-date with the most current public key. You can also obtain it programmatically using DNS. For example: Terminal window ``` dig TXT roughtime.cloudflare.com | grep -oP 'TXT\s"\K.*?(?=")' ``` ## Next steps Beyond just getting the Roughtime from Cloudflare, you may want to use it to [keep your clock in sync](https://developers.cloudflare.com/time-services/roughtime/recipes/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/roughtime/","name":"Roughtime"}},{"@type":"ListItem","position":4,"item":{"@id":"/time-services/roughtime/usage/","name":"Get the Roughtime"}}]} ``` --- --- title: Terms of use description: By using Cloudflare's suite of time services, you agree to Cloudflare Website and Online Services Terms of Use. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/time-services/tos.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Terms of use By using Cloudflare's suite of time services, you agree to [Cloudflare Website and Online Services Terms of Use ↗](https://www.cloudflare.com/website-terms/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/time-services/","name":"Time Services"}},{"@type":"ListItem","position":3,"item":{"@id":"/time-services/tos/","name":"Terms of use"}}]} ```