Does pool.ntp.org support IPv6?

Yes, but the default pool.ntp.org zone returns mixed A and AAAA records, which many clients interpret as IPv4-only. Use the dedicated zones 2.pool.ntp.org and 3.pool.ntp.org which are statistically more likely to return AAAA records, or query explicit AAAA records with 'dig AAAA 2.pool.ntp.org'. For guaranteed IPv6, configure a known IPv6-capable source such as ntp.rdem-systems.com, time.cloudflare.com, or nts.netnod.se.

How do I test if my NTP server responds on IPv6?

Three methods: (1) 'ntpdate -q -6 <server>' forces IPv6 resolution. (2) 'sntp -6 <server>' does the same for the systemd SNTP client. (3) 'dig AAAA <server>' checks if the DNS record exists before NTP is even consulted. For internal servers, use our RFC 1918 bridge mode with an IPv6 address like fe80:: or 2001:db8::.

Why is my NTP offset different on IPv6 vs IPv4?

Different routing paths: IPv6 packets often traverse fewer hops than IPv4 because the IPv6 backbone has less deep-packet inspection and fewer NAT boundaries. A 2–10 ms offset difference between v4 and v6 to the same hostname is normal when the server has distinct v4 and v6 addresses reaching different POPs via anycast. Consistently larger differences indicate asymmetric routing or a tunnelled IPv6 (6in4) path.

Does NIS 2 require NTP over IPv6?

NIS 2 Article 21 does not name IPv6 explicitly, but Article 21(2)(d) — ICT product supply-chain security — and (2)(e) — network-level diversification — effectively require dual-stack for entities whose network already carries IPv6. An IPv6-only internal segment that cannot reach an authenticated time source via NTS/NTP over v6 fails the risk-proportionality test. Our audit checklist covers the dual-stack dimension explicitly.

Are public NTP servers like time.nist.gov accessible over IPv6?

time.nist.gov: AAAA record present, v6 reachable. time.cloudflare.com: full dual-stack with NTS. time.google.com: dual-stack with leap-second smearing. ntp.ntsc.ac.cn: IPv4-only as of April 2026. ntp.rdem-systems.com: dual-stack with NTS. Always verify with 'dig AAAA' before relying on v6 reachability — operators change this without notice.

NTP IPv6 Test | Dual-Stack Validator & AAAA Record Audit

Published 20 April 2026 · By Richard DEMONGEOT, RDEM Systems · Target audience: DevOps, network architects, CISOs validating IPv6 rollout against time-synchronisation requirements.

On this page

1. Why NTP over IPv6 matters in 2026
2. AAAA resolution: what the DNS returns
3. pool.ntp.org and IPv6 — the subzone trick
4. How to test IPv6 NTP (CLI and browser)
5. v4 vs v6 offset comparison
6. Reliable dual-stack NTP sources (April 2026)
7. NIS 2 / ISO 27001 dual-stack evidence

1. Why NTP over IPv6 matters in 2026

IPv6 rollout has crossed the majority threshold for major European ISPs (Orange, Proximus, Deutsche Telekom all above 60%). Internal networks that carry production IPv6 but fall back to IPv4 for NTP create two problems simultaneously:

Operational: an IPv6-only firewall rule or routing change can silently cut time-sync for the subnet — often discovered only when Kerberos fails.
Audit: NIS 2 auditors reading the ICT supply-chain control (Art. 21(2)(d)(e)) expect the time-sync layer to follow the same availability and authentication guarantees as the rest of the stack. "We have IPv6 but our NTP is IPv4-only" is a documented gap.

Practical rule. If your workload runs on IPv6 for any other service, your NTP must also reach an authenticated source over IPv6. The audit cost of admitting otherwise is higher than the one-line configuration fix.

2. AAAA resolution: what the DNS returns

Before NTP can speak IPv6, the resolver must return an AAAA record. Check with dig:

$ dig AAAA ntp.rdem-systems.com +short
2a01:e0a:4bc:5110::1

$ dig AAAA time.cloudflare.com +short
2606:4700:f1::1
2606:4700:f1::123

$ dig AAAA time.nist.gov +short
2610:20:6f15:15::27

An empty response means the operator has not published an AAAA record — you must choose another source for dual-stack. time.ntsc.ac.cn, for example, is IPv4-only as of April 2026.

3. pool.ntp.org and IPv6 — the subzone trick

The project-wide zone pool.ntp.org returns mixed A and AAAA, weighted by the percentage of volunteer servers in each family. Because IPv4 servers outnumber IPv6 by roughly 3:1, a client querying pool.ntp.org often receives four A records and no AAAA — effectively IPv4-only behaviour.

The workaround is the statistical subzone structure:

Zone	AAAA probability	Recommended for
`0.pool.ntp.org`	Very low (~5%)	Legacy IPv4 clients
`1.pool.ntp.org`	Low (~10%)	Mostly IPv4
`2.pool.ntp.org`	High (~70%)	IPv6-preferred clients
`3.pool.ntp.org`	High (~70%)	IPv6-preferred clients

Best practice for dual-stack chrony/ntpd configuration:

# Favour IPv6 where available
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Explicit dual-stack anchors (AAAA guaranteed)
server time.cloudflare.com iburst nts
server ntp.rdem-systems.com iburst nts

4. How to test IPv6 NTP (CLI and browser)

Browser-based

Use the Compliance Validator in Bridge Mode with an IPv6-formatted target ([2a01:e0a:4bc:5110::1] or the hostname on an IPv6-only egress network). The bridge relays the NTPv4 packet via your local Node.js process, so DNS resolution and routing reflect your workstation's real network stack.

Linux — forced v6 probe

$ ntpdate -q -6 ntp.rdem-systems.com
server 2a01:e0a:4bc:5110::1, stratum 1, offset +0.000412, delay 0.01912

$ sntp -6 ntp.rdem-systems.com
+0.000412 +/- 0.001243 ntp.rdem-systems.com 2a01:e0a:4bc:5110::1 s1 no-leap

chrony explicit-family configuration

# /etc/chrony/chrony.conf
# Force IPv6-only query
server ntp.rdem-systems.com iburst family ipv6
# Dual-stack with preference
pool 2.pool.ntp.org iburst

Windows — w32tm

> w32tm /monitor /computers:ntp.rdem-systems.com
ntp.rdem-systems.com[2a01:e0a:4bc:5110::1:123]:
    ICMP: 12ms delay
    NTP: -0.0002341s offset from local clock
    RefID: 'GNSS' [0x53534E47]
    Stratum: 1

5. v4 vs v6 offset comparison

Probe the same hostname on both families and compare. A well-operated dual-stack source shows near-identical offset and sub-5 ms RTD variance:

$ sntp -4 ntp.rdem-systems.com
+0.000398 +/- 0.001200 ntp.rdem-systems.com 51.159.173.61 s1 no-leap

$ sntp -6 ntp.rdem-systems.com
+0.000412 +/- 0.001243 ntp.rdem-systems.com 2a01:e0a:4bc:5110::1 s1 no-leap

# Offset delta: 0.014 ms  — within measurement noise, healthy
# RTD delta: 0.043 ms     — healthy

Red flags. An offset delta > 20 ms between v4 and v6 to the same hostname typically indicates: (1) asymmetric routing — one family traverses a tunnel, (2) different backend servers behind the same anycast address, (3) broken time-sync on one of the two dual-stack instances. Investigate before trusting the combined clock.

6. Reliable dual-stack NTP sources (April 2026)

Source	IPv4	IPv6	NTS	Stratum
`ntp.rdem-systems.com`	✓	✓	✓	1
`time.cloudflare.com`	✓	✓	✓	3 (anycast)
`time.google.com`	✓	✓	—	1 (leap-smeared)
`time.nist.gov`	✓	✓	—	1
`ntp1.ptb.de`	✓	✓	—	1
`nts.netnod.se`	✓	✓	✓	1
`2.pool.ntp.org`	✓	✓ (70%)	—	Variable

For audit-grade configurations, prefer three sources with full dual-stack + NTS: for example ntp.rdem-systems.com, time.cloudflare.com, nts.netnod.se.

Why we know this field. RDEM Systems operates its own IPv6 address space under AS206014, runs dual-stack NTP on every node, and participates in the public NTP Pool project with both A and AAAA records. The reference servers documented above — including our French NTP servers and the NTS-enabled endpoints — are the same infrastructure that backs this validator. Every claim on this page was first validated against our own production telemetry before being published.

7. NIS 2 / ISO 27001 dual-stack evidence

Auditors will ask: can the essential/important entity's time-sync continue operating if either the v4 or v6 path is degraded? The evidence pack:

AAAA resolution log — output of dig AAAA on each configured source, dated, retained.
Dual-family query log — chrony sources output showing both A and AAAA records for at least one common source.
Single-family failover test — documented procedure that cuts v4 (or v6) at the firewall and confirms clock stays synchronised via the other family within 2 minutes.
Change-management record — any modification to NTP configuration ticketed alongside the corresponding routing or firewall change.

Cross-reference: our NIS 2 NTP requirements page lists this under the 10-control checklist, and the full audit checklist expands the supply-chain diversification argument.

Need audit-ready evidence?

Use the Compliance Validator to probe your infrastructure on both IPv4 and IPv6 and export results for the audit file.

Run the Validator → NIS 2 Requirements

NTP IPv6 TestDual-Stack Validator & AAAA Audit