TLD nameserver time survey.
Roy Arends <roy@logmess.com> Tue, 05 August 2003 11:01 UTC
Received: from nic.cafax.se (nic.cafax.se [192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA07155 for <dnsop-archive@lists.ietf.org>; Tue, 5 Aug 2003 07:01:34 -0400 (EDT)
Received: from nic.cafax.se (localhost [127.0.0.1]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0) with ESMTP id h75AUM8W008354 for <dnsop-outgoing@nic.cafax.se>; Tue, 5 Aug 2003 12:30:22 +0200 (MEST)
Received: from localhost (localhost [[UNIX: localhost]]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0/Submit) id h75AULxi008353 for dnsop-outgoing; Tue, 5 Aug 2003 12:30:21 +0200 (MEST)
X-Authentication-Warning: nic.cafax.se: majordom set sender to owner-dnsop@cafax.se using -f
Received: from elektron.atoom.net (vhe-530008.sshn.net [195.169.222.38]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0) with ESMTP id h75AUL8W008348 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:21 +0200 (MEST)
Received: from elektron.atoom.net (localhost [127.0.0.1]) by elektron.atoom.net (8.12.9/8.12.9/Debian-5) with ESMTP id h75AUA43021112 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:11 +0200
Received: from localhost (roy@localhost) by elektron.atoom.net (8.12.9/8.12.9/Debian-5) with ESMTP id h75AU9ed021108 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:09 +0200
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
Date: Tue, 05 Aug 2003 12:30:06 +0200
From: Roy Arends <roy@logmess.com>
X-X-Sender: roy@elektron.atoom.net
To: dnsop@cafax.se
Subject: TLD nameserver time survey.
Message-ID: <Pine.LNX.4.56.0308051055450.2490@elektron.atoom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Status: No, hits=-0.5 required=5.0 tests=USER_AGENT_PINE,X_AUTH_WARNING version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Virus-Scanned: by amavisd-new
Sender: owner-dnsop@cafax.se
Precedence: bulk
Hello, I've done a small survey wrt tld nameserver set. Results are below. Comments are sollicited. Thanks, regards Roy ---- Introduction. Securing the DNS system has a common requirement. The set of systems, including stub resolvers, recursive resolvers and authoritative servers need to agree on time when DNS protocols such as TSIG, SIG(0) and DNSSEC are involved. In the scope of those protocols, time is a factor in the defense against replay attacks. Time may be less a factor for authoritative nameservers regardless whether DNSSEC is involved, since it is recommended that signing DNS data for DNSSEC is done offline, i.e. an authoritative nameserver does not need to be in sync for purposes of answering a query. Note that a secured zonetransfer (TSIG/SIG(0) + IXFR/AXFR) requires the servers to be in sync. A recursive nameserver needs to be in sync to verify DNSSEC data. Recursive nameservers were not part of this survey, though some servers in this survey happen to offer recursion. Time Survey. As an indication, clocks at authoritative nameservers responsible for the top level domains (TLDs) were compared against 'actual time'. As input for this exercise, the NSDNAME value in authoritative name server resource records (NS) in the Root Zone (SOA:2003073101) were resolved for their addresses. A unique pair of name and address is regarded as a single nameserver for this survey. These nameservers were queried [1] for their clock value. Not every server responded, which does not imply that a name server was not running. A received clock value is then subtracted by the 'actual time'. This actual time is the mean of recorded time 'on send' and 'on receive'. The recorded time has been synchronized through NTP with a set of stratum 1 time servers connected to GPS receivers. There is a 'response timeout' of 2 seconds which implies that there may be a 2 second fault. Values outside this fault window can be considered "out of sync". To give an indication of where a server set for a domain exist in time, the 'range' is shown for a domain. Say the TLD example has 5 nameservers, with the following offset: ns1.example -50 seconds ns2.example -12 seconds ns3.example 1 seconds ns4.example 77 seconds ns3.example 150 seconds Then 'range' for TLD 'example' is 200 (i.e. -50 to 150). Only domains with a range larger then 4 seconds are mentioned below. Note that a single nameserver may serve multiple zones. If this single nameserver is N seconds out of sync, all zones served by this server will be at least N seconds out of sync. Domain Range Domain Range Domain Range Domain Range VU. 6 EDU. 7 GOV. 7 KH. 7 NAME. 7 ORG. 7 SB. 8 JM. 11 SG. 11 SO. 13 GF. 15 AO. 17 BG. 17 BM. 17 CV. 17 CZ. 17 EE. 17 HR. 17 IS. 17 LV. 17 MY. 17 NG. 17 NL. 17 PT. 17 RU. 17 SI. 17 SK. 17 ST. 17 YU. 17 SE. 18 UA. 19 IL. 35 AU. 39 PL. 39 VI. 51 HK. 61 TR. 61 PN. 77 SY. 86 MN. 93 NR. 102 KW. 118 NP. 120 MA. 125 SC. 135 FM. 142 CU. 159 DJ. 162 BZ. 163 HU. 164 BB. 165 LU. 167 UZ. 178 NE. 185 MZ. 208 LY. 212 AD. 231 EG. 281 GM. 281 IT. 299 ET. 316 GT. 337 TT. 339 GE. 389 HN. 413 ES. 459 AR. 470 UY. 470 GG. 472 JE. 472 LT. 492 GH. 507 LK. 514 BH. 533 QA. 613 KY. 634 KR. 642 EC. 667 TN. 715 MO. 717 CL. 728 DK. 762 RO. 767 VN. 788 IQ. 824 IN. 826 AI. 908 GQ. 960 CN. 962 MT. 976 KZ. 979 AN. 1041 KM. 1077 JO. 1109 BN. 1143 KE. 1254 TH. 1271 MD. 1338 AW. 1669 CA. 1677 NU. 1824 PRO. 1980 ML. 2231 MR. 2349 CY. 2449 TW. 2482 MG. 2928 PR. 3066 MQ. 3312 BO. 3523 YE. 3555 DZ. 3669 SD. 3767 IE. 3989 MIL. 3989 INT. 4381 MUSEUM. 4475 TD. 4957 MH. 5608 TG. 5913 GR. 5955 AL. 7217 CC. 7725 DM. 7725 SN. 7871 BY. 8949 BI. 11563 CD. 11563 CG. 11563 RW. 11563 IR. 12879 PK. 13242 PY. 14491 BJ. 17872 LB. 25200 OM. 28715 DO. 29051 MW. 29189 VE. 29574 CR. 42495 PA. 42495 NI. 43387 SV. 43819 WS. 46440 GP. 49643 SL. 54184 UG. 56973 NF. 60523 HM. 84227 CX. 87640 [1] The methodology, tools, raw data and more in-depth analysis are not made public here yet to allow operators to sync their nameservers. It is however trivial and no secret to many, to determine a servers timestamp. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.
- TLD nameserver time survey. Roy Arends
- [DNSOP] TLD nameserver time survey... again Roy Arends
- [DNSOP] Re: TLD nameserver time survey... again Stephane Bortzmeyer
- Re: [DNSOP] Re: TLD nameserver time survey... aga… Roy Arends
- [DNSOP] TLD nameserver time survey... yet again Roy Arends
- Re: [DNSOP] TLD nameserver time survey... yet aga… Roy Arends