TLD nameserver time survey.

Roy Arends <roy@logmess.com> Tue, 05 August 2003 11:01 UTC

Received: from nic.cafax.se (nic.cafax.se [192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA07155 for <dnsop-archive@lists.ietf.org>; Tue, 5 Aug 2003 07:01:34 -0400 (EDT)
Received: from nic.cafax.se (localhost [127.0.0.1]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0) with ESMTP id h75AUM8W008354 for <dnsop-outgoing@nic.cafax.se>; Tue, 5 Aug 2003 12:30:22 +0200 (MEST)
Received: from localhost (localhost [[UNIX: localhost]]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0/Submit) id h75AULxi008353 for dnsop-outgoing; Tue, 5 Aug 2003 12:30:21 +0200 (MEST)
X-Authentication-Warning: nic.cafax.se: majordom set sender to owner-dnsop@cafax.se using -f
Received: from elektron.atoom.net (vhe-530008.sshn.net [195.169.222.38]) by nic.cafax.se (8.12.10.Beta0/8.12.10.Beta0) with ESMTP id h75AUL8W008348 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:21 +0200 (MEST)
Received: from elektron.atoom.net (localhost [127.0.0.1]) by elektron.atoom.net (8.12.9/8.12.9/Debian-5) with ESMTP id h75AUA43021112 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:11 +0200
Received: from localhost (roy@localhost) by elektron.atoom.net (8.12.9/8.12.9/Debian-5) with ESMTP id h75AU9ed021108 for <dnsop@cafax.se>; Tue, 5 Aug 2003 12:30:09 +0200
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
Date: Tue, 05 Aug 2003 12:30:06 +0200
From: Roy Arends <roy@logmess.com>
X-X-Sender: roy@elektron.atoom.net
To: dnsop@cafax.se
Subject: TLD nameserver time survey.
Message-ID: <Pine.LNX.4.56.0308051055450.2490@elektron.atoom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Status: No, hits=-0.5 required=5.0 tests=USER_AGENT_PINE,X_AUTH_WARNING version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Virus-Scanned: by amavisd-new
Sender: owner-dnsop@cafax.se
Precedence: bulk

Hello,

I've done a small survey wrt tld nameserver set. Results are below.

Comments are sollicited.

Thanks, regards

Roy

----

Introduction.

   Securing the DNS system has a common requirement. The set of systems,
   including stub resolvers, recursive resolvers and authoritative servers
   need to agree on time when DNS protocols such as TSIG, SIG(0)  and
   DNSSEC are involved. In the scope of those protocols, time is a
   factor in the defense against replay attacks.

   Time may be less a factor for authoritative nameservers regardless
   whether DNSSEC is involved, since it is recommended that signing DNS
   data for DNSSEC is done offline, i.e. an authoritative nameserver does
   not need to be in sync for purposes of answering a query. Note that a
   secured zonetransfer (TSIG/SIG(0) + IXFR/AXFR) requires the servers
   to be in sync.

   A recursive nameserver needs to be in sync to verify DNSSEC data.
   Recursive nameservers were not part of this survey, though some servers
   in this survey happen to offer recursion.

Time Survey.

   As an indication, clocks at authoritative nameservers responsible for
   the top level domains (TLDs) were compared against 'actual time'.

   As input for this exercise, the NSDNAME value in authoritative name
   server resource records (NS) in the Root Zone (SOA:2003073101) were
   resolved for their addresses. A unique pair of name and address is
   regarded as a single nameserver for this survey. These nameservers were
   queried [1] for their clock value. Not every server responded, which
   does not imply that a name server was not running.

   A received clock value is then subtracted by the 'actual time'. This
   actual time is the mean of recorded time 'on send' and 'on receive'.
   The recorded time has been synchronized through NTP with a set of
   stratum 1 time servers connected to GPS receivers.

   There is a 'response timeout' of 2 seconds which implies that there may
   be a 2 second fault. Values outside this fault window can be considered
   "out of sync".

   To give an indication of where a server set for a domain exist in time,
   the 'range' is shown for a domain.

   Say the TLD example has 5 nameservers, with the following offset:

        ns1.example   -50 seconds
        ns2.example   -12 seconds
        ns3.example     1 seconds
        ns4.example    77 seconds
        ns3.example   150 seconds

   Then 'range' for TLD 'example' is 200 (i.e. -50 to 150).

   Only domains with a range larger then 4 seconds are mentioned below.

   Note that a single nameserver may serve multiple zones. If this single
   nameserver is N seconds out of sync, all zones served by this server
   will be at least N seconds out of sync.

   Domain   Range  Domain   Range  Domain   Range  Domain   Range

   VU.      6      EDU.     7      GOV.     7      KH.      7
   NAME.    7      ORG.     7      SB.      8      JM.      11
   SG.      11     SO.      13     GF.      15     AO.      17
   BG.      17     BM.      17     CV.      17     CZ.      17
   EE.      17     HR.      17     IS.      17     LV.      17
   MY.      17     NG.      17     NL.      17     PT.      17
   RU.      17     SI.      17     SK.      17     ST.      17
   YU.      17     SE.      18     UA.      19     IL.      35
   AU.      39     PL.      39     VI.      51     HK.      61
   TR.      61     PN.      77     SY.      86     MN.      93
   NR.      102    KW.      118    NP.      120    MA.      125
   SC.      135    FM.      142    CU.      159    DJ.      162
   BZ.      163    HU.      164    BB.      165    LU.      167
   UZ.      178    NE.      185    MZ.      208    LY.      212
   AD.      231    EG.      281    GM.      281    IT.      299
   ET.      316    GT.      337    TT.      339    GE.      389
   HN.      413    ES.      459    AR.      470    UY.      470
   GG.      472    JE.      472    LT.      492    GH.      507
   LK.      514    BH.      533    QA.      613    KY.      634
   KR.      642    EC.      667    TN.      715    MO.      717
   CL.      728    DK.      762    RO.      767    VN.      788
   IQ.      824    IN.      826    AI.      908    GQ.      960
   CN.      962    MT.      976    KZ.      979    AN.      1041
   KM.      1077   JO.      1109   BN.      1143   KE.      1254
   TH.      1271   MD.      1338   AW.      1669   CA.      1677
   NU.      1824   PRO.     1980   ML.      2231   MR.      2349
   CY.      2449   TW.      2482   MG.      2928   PR.      3066
   MQ.      3312   BO.      3523   YE.      3555   DZ.      3669
   SD.      3767   IE.      3989   MIL.     3989   INT.     4381
   MUSEUM.  4475   TD.      4957   MH.      5608   TG.      5913
   GR.      5955   AL.      7217   CC.      7725   DM.      7725
   SN.      7871   BY.      8949   BI.      11563  CD.      11563
   CG.      11563  RW.      11563  IR.      12879  PK.      13242
   PY.      14491  BJ.      17872  LB.      25200  OM.      28715
   DO.      29051  MW.      29189  VE.      29574  CR.      42495
   PA.      42495  NI.      43387  SV.      43819  WS.      46440
   GP.      49643  SL.      54184  UG.      56973  NF.      60523
   HM.      84227  CX.      87640

   [1] The methodology, tools, raw data and more in-depth analysis are not
   made public here yet to allow operators to sync their nameservers. It
   is however trivial and no secret to many, to determine a servers
   timestamp.
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.