rkik - Rusty Klock Inspection Kit
Think
dig, but for time sources. No daemon, no root, no config to touch.
rkik queries NTP, NTS, and PTP servers and tells you what they say — offset, RTT, stratum, authentication status. One shot, stateless, done.
Why rkik?
- Passive by design. It never touches your system clock unless you explicitly ask (
--sync). Run it anywhere, as anyone. - NTS that actually works. rkik-nts 1.0.0 is the first CLI implementation of RFC 8915 verified against real public servers (
time.cloudflare.com,nts.ntp.se). Older tools either skip authentication or implement it wrong. - Three protocols, one tool. NTP over IPv4/IPv6, NTS with full TLS diagnostics, and PTP/IEEE 1588 — all with compare mode, JSON output, and Nagios/Centreon plugin support.
Demo
$ rkik --nts time.cloudflare.com -v
Server: time.cloudflare.com [NTS Authenticated]
IP: 162.159.200.1:123
UTC Time: Tue, 28 Apr 2026 14:32:10 +0000
Local Time: 2026-04-28 16:32:10
Clock Offset: 1.243 ms
Round Trip Delay: 14.871 ms
=== NTS-KE Diagnostics ===
Handshake Duration: 87.342 ms
Cookies Received: 8 cookies
AEAD Algorithm: AEAD_AES_SIV_CMAC_256
NTP Server: 162.159.200.1:123
=== TLS Certificate ===
Subject: CN=time.cloudflare.com
Issuer: C=US, O=DigiCert Inc, CN=GeoTrust TLS ECC CA G1
Valid: 2025-02-10 → 2026-03-12
Fingerprint (SHA-256): 4b060f4d...462119
SANs: time.cloudflare.com
Installation
Arch Linux (AUR):
Nix / NixOS:
DEB / RPM / tar.gz: grab the latest from GitHub Releases.
# Debian / Ubuntu
# Fedora / RHEL / Alma / Rocky
Quick start
# Basic NTP probe
# NTS — cryptographically authenticated
# Compare a few servers side by side
# Plugin output for Nagios / Centreon / Zabbix
# JSON, prettified
NTP
Output:
Server: time.google.com
IP: 216.239.35.4:123
UTC Time: Tue, 28 Apr 2026 14:32:08 +0000
Local Time: 2026-04-28 16:32:08
Clock Offset: 0.312 ms
Round Trip Delay: 9.449 ms
NTS — Network Time Security ★
NTS (RFC 8915) is authenticated NTP — every packet is verified with AEAD encryption, so you know the response hasn't been tampered with.
When something goes wrong, rkik tells you what kind of failure it is:
| Kind | Meaning |
|---|---|
aead_failure |
AEAD verification failed — possible tampering |
missing_authenticator |
Authenticator extension absent in response |
unauthenticated_response |
Server completed NTS-KE but sent plain NTP |
ke_handshake_failed |
TLS or NTS-KE handshake failed |
timeout |
Connection timed out |
Security-critical failures (aead_failure, missing_authenticator, unauthenticated_response, invalid_unique_id, invalid_origin_timestamp) exit with code 2 in plugin mode.
See docs/user-guide.md#nts for the full error reference.
PTP — Precision Time Protocol
PTP mode (IEEE 1588-2019) is Linux-only and requires the ptp feature (on by default).
See docs/user-guide.md#ptp for flags and output format.
Plugin mode
# → RKIK OK - offset 4.006ms rtt 9.449ms from time.google.com (216.239.35.4) | offset_ms=4.006ms;50;200;0; rtt_ms=9.449ms;;;0;
Exit codes: 0 OK · 1 WARNING · 2 CRITICAL · 3 UNKNOWN (request failed or security error)
Debugging a time issue
Your monitoring fires a time alert on ntp.server.local. You don't know yet whether the problem is that server or its upstream.
Five seconds of drift, and you can see the upstream. Check it directly:
Same offset upstream. The problem isn't your server — it's the reference. Time to point it somewhere else.
For developers
rkik is split into a library and a CLI. The library has no clap, no process::exit, no terminal code — just async functions you can call directly.
[]
= { = "2", = false, = ["json"] }
= { = "1", = ["rt-multi-thread", "macros"] }
use query_one;
use Duration;
let r = query_one.await?;
println!;
Full API reference, architecture overview, and contribution guide: docs/developer-guide.md
To contribute, see CONTRIBUTING — issues labelled good first issue are a good starting point.