[DNSOP] TLD nameserver time survey... again

Roy Arends <roy@dnss.ec> Tue, 13 March 2007 16:49 UTC

Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRABx-00066C-Rq; Tue, 13 Mar 2007 12:49:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRABw-00065w-J1 for dnsop@ietf.org; Tue, 13 Mar 2007 12:49:40 -0400
Received: from trinitario.schlyter.se ([195.47.254.10] helo=mail.schlyter.se) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRABu-0004ws-3X for dnsop@ietf.org; Tue, 13 Mar 2007 12:49:39 -0400
Received: from [82.94.105.61] (a82-94-105-61.adsl.xs4all.nl [82.94.105.61]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: roy) by mail.schlyter.se (Postfix) with ESMTP id A9C162D4D2 for <dnsop@ietf.org>; Tue, 13 Mar 2007 17:49:34 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <Pine.LNX.4.56.0308051055450.2490@elektron.atoom.net>
References: <Pine.LNX.4.56.0308051055450.2490@elektron.atoom.net>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <11FB6FD7-7AB6-45AB-86EF-338D93F424C6@dnss.ec>
Content-Transfer-Encoding: 7bit
From: Roy Arends <roy@dnss.ec>
Date: Tue, 13 Mar 2007 17:49:24 +0100
To: IETF DNSOP WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e472ca43d56132790a46d9eefd95f0a5
Subject: [DNSOP] TLD nameserver time survey... again
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org

About 3.5 years ago, I did a survey to see if nameservers,  
authoritative for top level domains, were in sync. Those old results  
can be found at:
http://www.rfc.se/fpdns/timecheck.html

I ran the survey again, in the hope things have improved, but they  
actually got worse.

I've included part of the text I send out back then:

> Time Survey.
>
>    As an indication, clocks at authoritative nameservers  
> responsible for
>    the top level domains (TLDs) were compared against 'actual time'.
>
>    As input for this exercise, the NSDNAME value in authoritative name
>    server resource records (NS) in the Root Zone (SOA:2003073101) were
>    resolved for their addresses. A unique pair of name and address is
>    regarded as a single nameserver for this survey. These  
> nameservers were
>    queried [1] for their clock value. Not every server responded,  
> which
>    does not imply that a name server was not running.

Note that I used the Root Zone version with SOA:2007031201 this time.

>    A received clock value is then subtracted by the 'actual time'.  
> This
>    actual time is the mean of recorded time 'on send' and 'on  
> receive'.
>    The recorded time has been synchronized through NTP with a set of
>    stratum 1 time servers connected to GPS receivers.
>
>    There is a 'response timeout' of 2 seconds which implies that  
> there may
>    be a 2 second fault. Values outside this fault window can be  
> considered
>    "out of sync".
>
>    To give an indication of where a server set for a domain exist  
> in time,
>    the 'range' is shown for a domain.
>
>    Say the TLD example has 5 nameservers, with the following offset:
>
>         ns1.example   -50 seconds
>         ns2.example   -12 seconds
>         ns3.example     1 seconds
>         ns4.example    77 seconds
>         ns3.example   150 seconds
>
>    Then 'range' for TLD 'example' is 200 (i.e. -50 to 150).
>
>    Only domains with a range larger then 4 seconds are mentioned  
> below.
>
>    Note that a single nameserver may serve multiple zones. If this  
> single
>    nameserver is N seconds out of sync, all zones served by this  
> server
>    will be at least N seconds out of sync.

I recently re-ran the script, and the results are below. Note that  
I've not included the domains that are 4 seconds or less out of sync.  
Also included here is root, listed as a single dot.

Domain  Range           Domain  Range           Domain  Range

YU.         8           UZ.       241           GY.      3135
CA.         9           QA.       253           CR.      3175
NF.         9           IR.       258           AL.      3600
EU.        10           CM.       303           MD.      3650
NZ.        11           CD.       318           RO.      3680
SG.        11           RW.       318           TR.      3888
HN.        16           CG.       319           UG.      4395
SN.        19           TN.       348           HT.      4942
PL.        21           VU.       402           MM.      5489
BE.        22           AI.       410           GR.      5639
ID.        22           LB.       415           GG.      5723
KR.        28           MV.       474           JE.      5723
NA.        29           LA.       480           DZ.      6136
UA.        32           CF.       511           BH.      6496
BB.        36           MT.       514           HM.      6620
UY.        36           BW.       524           ZM.      6908
MX.        41           LT.       528           BY.      7440
GH.        57           IT.       555           MQ.      8848
.          60           NE.       585           KH.     10051
ARPA.      60           NP.       588           BT.     10062
CZ.        61           EC.       591           GQ.     12903
DO.        61           MUSEUM.   696           BO.     14806
BD.        63           BZ.       726           JO.     15818
PS.        73           MZ.       737           DM.     15980
TH.        88           OM.       739           GA.     16104
DJ.        95           CI.       755           TJ.     17614
LK.       100           NR.       757           TK.     17982
SB.       126           INT.      805           BA.     21441
CC.       133           SZ.       849           LY.     24933
ET.       133           VA.       989           BJ.     25914
NAME.     133           BI.      1035           YE.     28724
EDU.      134           ER.      1145           PA.     35999
JOBS.     134           TL.      1156           PK.     39921
TV.       134           EG.      1212           SV.     43450
GOV.      152           MR.      1487           VN.     45078
AT.       153           AD.      1532           GP.     89182
MK.       159           EE.      1591           AC.     89940
KM.       182           MY.      1671           TM.     89940
CAT.      189           MA.      1678           IO.     89941
GB.       189           JM.      1840           SH.     89941
KG.       204           TG.      2054           BF.    114772
GF.       205           NI.      2273           SY.    123066
MG.       214           CY.      2519           KW.    330786
BS.       228           SL.      2545           ML.    195229906

Below is a shame list of the nameservers that are at least one hour  
(3600 seconds) out of sync (in the past and future). Yes the first  
one is more than 6 years out of sync.

ciwara.sotelma.ml        217.64.97.50    -195220188
castor.teleglobe.net     199.202.55.2       -115866
ns1.orangecaraibe.com    193.251.160.222     -75305
ns.telefonica-ca.net     216.184.96.4        -43296
ns2.pa                   168.77.8.7          -35845
utama.bolnet.bo          166.114.1.40        -14805
manta.outremer.com       213.16.1.106         -9044
ns2.registry.hm          209.245.20.115       -8077
ns3.registry.hm          202.169.96.24        -5407
ns1.nic.ht               64.86.226.26         -4941
ns2.druknet.bt           202.144.128.210      -4163
web.eahd.or.ug           216.104.202.101      -3778
ns2.batelco.com.bh       193.188.97.212       -3694
itgbox.iat.cnr.it        146.48.65.46          3601
casbah.eldjazair.net.dz  193.194.81.45         3773
ns5.nic.tr               213.139.255.18        3889
ns1.microlink.zm         193.220.20.30         4378
grdns-us.ics.forth.gr    192.0.34.138          5509
ns1.druknet.bt           202.144.128.200       5899
ns1.zamnet.zm            196.46.192.26         6137
nyali.inet.ga            217.77.71.33          6412
dns2.net.sy              66.198.41.14          7200
dns.belpak.by            193.232.248.45        7441
dogon.sotelma.ml         217.64.98.75          9718
ns.camnet.com.kh         203.223.32.3         10051
bow.intnet.gq            193.251.153.78       12904
ns1.nic.gp               193.218.114.2        13877
petra.nic.gov.jo         193.188.66.2         14408
ns1.nic.dm               208.0.224.114        14471
ogooue.inet.ga           217.77.71.1          16105
ns.tojikiston.com        193.111.11.2         17614
root-c.taloha.tk         207.36.228.217       17982
ns.ba                    195.130.35.5         21441
ns0.mpt.net.mm           203.81.64.20         21760
dns1.lttnet.net          62.68.42.9           24771
dns.lttnet.net           62.240.36.9          24934
nakayo.leland.bj         81.91.225.1          25915
dns2.kw                  161.252.48.150       27045
ns1.mpt.net.mm           203.81.64.19         27249
sah2.ye                  195.94.0.35          28656
ns.pknic.net.pk          207.44.136.109       39922
dns-hcm01.vnnic.net.vn   203.162.87.66        45079
ns3.icb.co.uk            217.199.188.61       88287
ns3.icb.co.uk            217.199.188.61       88288
dns1.kw                  161.252.48.140      330833

Regards,

Roy


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop