Does pool.ntp.org support IPv6?

Yes, but the default pool.ntp.org zone returns mixed A and AAAA records, which many clients interpret as IPv4-only. Use the dedicated zones 2.pool.ntp.org and 3.pool.ntp.org which are statistically more likely to return AAAA records, or query explicit AAAA records with 'dig AAAA 2.pool.ntp.org'. For guaranteed IPv6, configure a known IPv6-capable source such as ntp.rdem-systems.com, time.cloudflare.com, or nts.netnod.se.

How do I test if my NTP server responds on IPv6?

Three methods: (1) 'ntpdate -q -6 <server>' forces IPv6 resolution. (2) 'sntp -6 <server>' does the same for the systemd SNTP client. (3) 'dig AAAA <server>' checks if the DNS record exists before NTP is even consulted. For internal servers, use our RFC 1918 bridge mode with an IPv6 address like fe80:: or 2001:db8::.

Why is my NTP offset different on IPv6 vs IPv4?

Different routing paths: IPv6 packets often traverse fewer hops than IPv4 because the IPv6 backbone has less deep-packet inspection and fewer NAT boundaries. A 2–10 ms offset difference between v4 and v6 to the same hostname is normal when the server has distinct v4 and v6 addresses reaching different POPs via anycast. Consistently larger differences indicate asymmetric routing or a tunnelled IPv6 (6in4) path.

Does NIS 2 require NTP over IPv6?

NIS 2 Article 21 does not name IPv6 explicitly, but Article 21(2)(d) — ICT product supply-chain security — and (2)(e) — network-level diversification — effectively require dual-stack for entities whose network already carries IPv6. An IPv6-only internal segment that cannot reach an authenticated time source via NTS/NTP over v6 fails the risk-proportionality test. Our audit checklist covers the dual-stack dimension explicitly.

Are public NTP servers like time.nist.gov accessible over IPv6?

time.nist.gov: AAAA record present, v6 reachable. time.cloudflare.com: full dual-stack with NTS. time.google.com: dual-stack with leap-second smearing. ntp.ntsc.ac.cn: IPv4-only as of April 2026. ntp.rdem-systems.com: dual-stack with NTS. Always verify with 'dig AAAA' before relying on v6 reachability — operators change this without notice.

NTP IPv6 Test | Dual-Stack Validator & AAAA Record Audit

Live IPv6 NTP test

Check whether a server has an AAAA record — and, if the local bridge (v1.1+) is running, measure offset on IPv4 and IPv6 side by side. DNS lookup uses Cloudflare DoH from your browser; the NTP probe goes through ws://localhost:8080.

NTP server

Tested examples: ntp.rdem-systems.com, time.cloudflare.com, 2.pool.ntp.org, time.nist.gov.

Published 20 April 2026 · Updated 12 May 2026 · By Richard DEMONGEOT, RDEM Systems · Target audience: DevOps, network architects, CISOs validating IPv6 rollout against time-synchronisation requirements.

1. Why NTP over IPv6 matters in 2026

IPv6 rollout has crossed the majority threshold for major European ISPs (Orange, Proximus, Deutsche Telekom all above 60%). Internal networks that carry production IPv6 but fall back to IPv4 for NTP create two problems simultaneously:

Operational: an IPv6-only firewall rule or routing change can silently cut time-sync for the subnet — often discovered only when Kerberos fails.
Audit: NIS 2 auditors reading the ICT supply-chain control (Art. 21(2)(d)(e)) expect the time-sync layer to follow the same availability and authentication guarantees as the rest of the stack. "We have IPv6 but our NTP is IPv4-only" is a documented gap.

2. AAAA resolution: what the DNS returns

Before NTP can speak IPv6, the resolver must return an AAAA record. Check with dig:

$ dig AAAA ntp.rdem-systems.com +short
2a01:e0a:4bc:5110::1

$ dig AAAA time.cloudflare.com +short
2606:4700:f1::1
2606:4700:f1::123

$ dig AAAA time.nist.gov +short
2610:20:6f15:15::27

An empty response means the operator has not published an AAAA record — you must choose another source for dual-stack. time.ntsc.ac.cn, for example, is IPv4-only as of April 2026.

3. pool.ntp.org and IPv6 — the subzone trick

The project-wide zone pool.ntp.org returns mixed A and AAAA, weighted by the percentage of volunteer servers in each family. Because IPv4 servers outnumber IPv6 by roughly 3:1, a client querying pool.ntp.org often receives four A records and no AAAA — effectively IPv4-only behaviour.

The workaround is the statistical subzone structure:

Zone	AAAA probability	Recommended for
`0.pool.ntp.org`	Very low (~5%)	Legacy IPv4 clients
`1.pool.ntp.org`	Low (~10%)	Mostly IPv4
`2.pool.ntp.org`	High (~70%)	IPv6-preferred clients
`3.pool.ntp.org`	High (~70%)	IPv6-preferred clients

Best practice for dual-stack chrony/ntpd configuration:

# Favour IPv6 where available
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Explicit dual-stack anchors (AAAA guaranteed)
server time.cloudflare.com iburst nts
server ntp.rdem-systems.com iburst nts

4. How to test IPv6 NTP (CLI and browser)

Browser-based

Use the Compliance Validator in Bridge Mode with an IPv6-formatted target ([2a01:e0a:4bc:5110::1] or the hostname on an IPv6-only egress network). The bridge relays the NTPv4 packet via your local Node.js process, so DNS resolution and routing reflect your workstation's real network stack.

Linux — forced v6 probe

$ ntpdate -q -6 ntp.rdem-systems.com
server 2a01:e0a:4bc:5110::1, stratum 1, offset +0.000412, delay 0.01912

$ sntp -6 ntp.rdem-systems.com
+0.000412 +/- 0.001243 ntp.rdem-systems.com 2a01:e0a:4bc:5110::1 s1 no-leap

chrony explicit-family configuration

# /etc/chrony/chrony.conf
# Force IPv6-only query
server ntp.rdem-systems.com iburst family ipv6
# Dual-stack with preference
pool 2.pool.ntp.org iburst

Windows — w32tm

> w32tm /monitor /computers:ntp.rdem-systems.com
ntp.rdem-systems.com[2a01:e0a:4bc:5110::1:123]:
    ICMP: 12ms delay
    NTP: -0.0002341s offset from local clock
    RefID: 'GNSS' [0x53534E47]
    Stratum: 1

5. v4 vs v6 offset comparison

Probe the same hostname on both families and compare. A well-operated dual-stack source shows near-identical offset and sub-5 ms RTD variance:

$ sntp -4 ntp.rdem-systems.com
+0.000398 +/- 0.001200 ntp.rdem-systems.com 51.159.173.61 s1 no-leap

$ sntp -6 ntp.rdem-systems.com
+0.000412 +/- 0.001243 ntp.rdem-systems.com 2a01:e0a:4bc:5110::1 s1 no-leap

# Offset delta: 0.014 ms  — within measurement noise, healthy
# RTD delta: 0.043 ms     — healthy

6. Reliable dual-stack NTP sources (April 2026)

Source	IPv4	IPv6	NTS	Stratum
`ntp.rdem-systems.com`	✓	✓	✓	1
`time.cloudflare.com`	✓	✓	✓	3 (anycast)
`time.google.com`	✓	✓	—	1 (leap-smeared)
`time.nist.gov`	✓	✓	—	1
`ntp1.ptb.de`	✓	✓	—	1
`nts.netnod.se`	✓	✓	✓	1
`2.pool.ntp.org`	✓	✓ (70%)	—	Variable

For audit-grade configurations, prefer three sources with full dual-stack + NTS: for example ntp.rdem-systems.com, time.cloudflare.com, nts.netnod.se.

7. NIS 2 / ISO 27001 dual-stack evidence

Auditors will ask: can the essential/important entity's time-sync continue operating if either the v4 or v6 path is degraded? The evidence pack:

AAAA resolution log — output of dig AAAA on each configured source, dated, retained.
Dual-family query log — chrony sources output showing both A and AAAA records for at least one common source.
Single-family failover test — documented procedure that cuts v4 (or v6) at the firewall and confirms clock stays synchronised via the other family within 2 minutes.
Change-management record — any modification to NTP configuration ticketed alongside the corresponding routing or firewall change.

Cross-reference: our NIS 2 NTP requirements page lists this under the 10-control checklist, and the full audit checklist expands the supply-chain diversification argument. For the specific control alignment, see ISO 27001 Annex A.8.17 and PCI-DSS Requirement 10.6.

Not here for audit? Use the right tool:

Measure jitter, offset, latency → ntp-tester.eu
Diagnose firewall / port 123 / daemon → check-ntp.net
Enterprise reference architecture → ntp.rdem-systems.com