Back in Gazette issue 1 I outlined that Canonical now provides an NTS-enabled NTP server backend, that you can use it with chrony as the client, and that you can configure your system to use it as well.
But our final goal in all of this always was to be more secure by default everywhere, and that comes in two stages. The first was to make Network Time Security (NTS) the default in chrony as it comes with Plucky, but since then we have been working to make chrony the default in all Ubuntu images, be it Server or Desktop - thereby making authenticated time synchronization the default for every new future Ubuntu installation.
Recently that shift happened as part of the ongoing development of Questing Quokka. After announcing it once more, so that everybody could have an extra eye on potential fallout, the seed got changed. Since this (and a few more changes) images now come with chrony by default which in turn comes with NTS being enabled by default.
Some subtle changes have been implemented along the way. For example, in Ubuntu, chrony was always allowed to serve time from a container. Setting time there is pointless, but serving was a desired use case for various test setups. Now that the use of chrony-as-a-client is the more common case we followed the great bug report by Simon (thanks!) and made sure that in containers there is no chrony activity unless you really want to enable it to be a time server.
Generally there is a desire that an upgraded Ubuntu system resembles a new installation, but on this particular change we decided against that. The addition of using new ports (for NTS/KE on tcp/4460) and general behavior seemed a bit too much – and error prone – likely causing more issues than we’d fix. So if you upgrade to 25.10, or in the future 24.04 -> 26.04, for now you’ll retain your systemd-timesyncd based approach. In my (very personal) opinion, I’d always use fresh deployments anyway – which is wasting a lot of the effort to make upgrades smooth and still is the more reproducible setup to me. Please speak up if you strongly believe that the upgrade should change that behavior.
@slyon also updated the documentation, emphasizing the “chrony as a client” part adding some sections that allow you to check if NTS is used from the client’s point of view.
I sometimes felt I’m more motivated for this feature than others might be, potentially due to my engagement on threat models, but I’ve realized that much bigger organizations have very similar goals to mine. See “Secure Time for a Safe Internet” in a recent ICANN announcement funding initiatives towards “a single, open, globally interoperable Internet” - that section is very much about the wider and general adoption of NTS.
OK, so one impactful transition is barely over, that can only mean one thing: Time to consider the next one. We have recently started to look at ntpd-rs, checking what it might provide and what it might miss compared to chrony.