A secure version of NTP with TLS and AEAD is a proposed standard and documented in RFC 8915.
NTS is a method for using TLS/SSL to authenticate NTP traffic on the net. That means that bad guys can’t forge packets that will give your system bogus time.
It is specified in RFC 8915, published in September 2020.
Note: The NTP Pool does not currently support NTS.
It is strongly suggested that you get a "normal", unauthenticated, NTP server working before enabling NTS. This may reduce the time spent debugging. See the Client Quick Start Guide.
While NTPsec already supported NTS as RFC 8915 still was in the draft phase, there unfortunately were incompatible changes introduced shortly before it was published. As a result, while NTPsec-versions before 1.1.9 do in principle support NTS, they cannot talk to any NTS servers or clients that implement the final RFC, which includes NTPsec-versions from 1.1.9 onwards. And NTPsec 1.1.9 requires manually specifying the correct port number (4460), because it still defaulted to 123. 1.2.0 is the first version of NTPsec to fully support NTS as specified in RFC 8915.