diff --git a/clientlog.c b/clientlog.c
index 30672b7..72682e1 100644
--- a/clientlog.c
+++ b/clientlog.c
@@ -44,7 +44,7 @@
 #include "util.h"
 #include "logging.h"
 
-#define MAX_SERVICES 2
+#define MAX_SERVICES 3
 
 typedef struct {
   IPAddr ip_addr;
@@ -329,6 +329,10 @@ CLG_Initialise(void)
         if (!CNF_GetNTPRateLimit(&interval, &burst, &lrate))
           continue;
         break;
+      case CLG_NTSKE:
+        if (!CNF_GetNtsRateLimit(&interval, &burst, &lrate))
+          continue;
+        break;
       case CLG_CMDMON:
         if (!CNF_GetCommandRateLimit(&interval, &burst, &lrate))
           continue;
diff --git a/clientlog.h b/clientlog.h
index 513712e..de3eb98 100644
--- a/clientlog.h
+++ b/clientlog.h
@@ -33,6 +33,7 @@
 
 typedef enum {
   CLG_NTP = 0,
+  CLG_NTSKE,
   CLG_CMDMON,
 } CLG_Service;
 
diff --git a/conf.c b/conf.c
index 2474922..d931ef9 100644
--- a/conf.c
+++ b/conf.c
@@ -204,6 +204,10 @@ static int ntp_ratelimit_enabled = 0;
 static int ntp_ratelimit_interval = 3;
 static int ntp_ratelimit_burst = 8;
 static int ntp_ratelimit_leak = 2;
+static int nts_ratelimit_enabled = 0;
+static int nts_ratelimit_interval = 6;
+static int nts_ratelimit_burst = 8;
+static int nts_ratelimit_leak = 2;
 static int cmd_ratelimit_enabled = 0;
 static int cmd_ratelimit_interval = -4;
 static int cmd_ratelimit_burst = 8;
@@ -577,6 +581,9 @@ CNF_ParseLine(const char *filename, int number, char *line)
     no_system_cert = parse_null(p);
   } else if (!strcasecmp(command, "ntpsigndsocket")) {
     parse_string(p, &ntp_signd_socket);
+  } else if (!strcasecmp(command, "ntsratelimit")) {
+    parse_ratelimit(p, &nts_ratelimit_enabled, &nts_ratelimit_interval,
+                    &nts_ratelimit_burst, &nts_ratelimit_leak);
   } else if (!strcasecmp(command, "ntstrustedcerts")) {
     parse_string(p, &nts_trusted_cert_file);
   } else if (!strcasecmp(command, "ntscachedir") ||
@@ -2093,6 +2100,16 @@ int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak)
 
 /* ================================================== */
 
+int CNF_GetNtsRateLimit(int *interval, int *burst, int *leak)
+{
+  *interval = nts_ratelimit_interval;
+  *burst = nts_ratelimit_burst;
+  *leak = nts_ratelimit_leak;
+  return nts_ratelimit_enabled;
+}
+
+/* ================================================== */
+
 int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
 {
   *interval = cmd_ratelimit_interval;
diff --git a/conf.h b/conf.h
index 045e8c3..01dc38f 100644
--- a/conf.h
+++ b/conf.h
@@ -103,6 +103,7 @@ extern int CNF_GetSchedPriority(void);
 extern int CNF_GetLockMemory(void);
 
 extern int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
+extern int CNF_GetNtsRateLimit(int *interval, int *burst, int *leak);
 extern int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
 extern void CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only);
 extern void CNF_GetTempComp(char **file, double *interval, char **point_file, double *T0, double *k0, double *k1, double *k2);
diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index 26c4d0b..c3ef2c5 100644
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -1600,6 +1600,17 @@ This would reduce the response rate for IP addresses sending packets on average
 more than once per 2 seconds, or sending packets in bursts of more than 16
 packets, by up to 75% (with default *leak* of 2).
 
+[[ntsratelimit]]*ntsratelimit* [_option_]...::
+This directive enables rate limiting of NTS-KE requests. It is similar to the
+<<ratelimit,*ratelimit*>> directive, except the default interval is 6
+(1 connection per 64 seconds).
++
+An example of the use of the directive is:
++
+----
+ntsratelimit interval 3 burst 1
+----
+
 [[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]::
 The *smoothtime* directive can be used to enable smoothing of the time that
 *chronyd* serves to its clients to make it easier for them to track it and keep
diff --git a/nts_ke_server.c b/nts_ke_server.c
index 45546a9..ca3c04b 100644
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -209,8 +209,8 @@ accept_connection(int server_fd, int event, void *arg)
   }
 
   SCH_GetLastEventTime(&now, NULL, NULL);
-  log_index = CLG_LogServiceAccess(CLG_NTP, &addr.ip_addr, &now);
-  if (log_index >= 0 && CLG_LimitServiceRate(CLG_NTP, log_index)) {
+  log_index = CLG_LogServiceAccess(CLG_NTSKE, &addr.ip_addr, &now);
+  if (log_index >= 0 && CLG_LimitServiceRate(CLG_NTSKE, log_index)) {
     DEBUG_LOG("Rejected connection from %s (%s)",
               UTI_IPSockAddrToString(&addr), "rate limit");
     SCK_CloseSocket(sock_fd);
diff --git a/test/unit/clientlog.c b/test/unit/clientlog.c
index f5ab836..850cedf 100644
--- a/test/unit/clientlog.c
+++ b/test/unit/clientlog.c
@@ -36,6 +36,7 @@ test_unit(void)
     "clientloglimit 10000",
     "ratelimit interval 3 burst 4 leak 3",
     "cmdratelimit interval 3 burst 4 leak 3",
+    "ntsratelimit interval 6 burst 8 leak 3",
   };
 
   CNF_Initialise(0, 0);