| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030805112320.GB19903@netsys.com>
From: len at netsys.com (Len Rose)
Subject: [roy@...mess.com: TLD nameserver time survey.]
----- Forwarded message from Roy Arends <roy@...mess.com> -----
Date: Tue, 5 Aug 2003 12:30:06 +0200 (CEST)
From: Roy Arends <roy@...mess.com>
To: dnsop@...ax.se
Subject: TLD nameserver time survey.
Hello,
I've done a small survey wrt tld nameserver set. Results are below.
Comments are sollicited.
Thanks, regards
Roy
----
Introduction.
Securing the DNS system has a common requirement. The set of systems,
including stub resolvers, recursive resolvers and authoritative servers
need to agree on time when DNS protocols such as TSIG, SIG(0) and
DNSSEC are involved. In the scope of those protocols, time is a
factor in the defense against replay attacks.
Time may be less a factor for authoritative nameservers regardless
whether DNSSEC is involved, since it is recommended that signing DNS
data for DNSSEC is done offline, i.e. an authoritative nameserver does
not need to be in sync for purposes of answering a query. Note that a
secured zonetransfer (TSIG/SIG(0) + IXFR/AXFR) requires the servers
to be in sync.
A recursive nameserver needs to be in sync to verify DNSSEC data.
Recursive nameservers were not part of this survey, though some servers
in this survey happen to offer recursion.
Time Survey.
As an indication, clocks at authoritative nameservers responsible for
the top level domains (TLDs) were compared against 'actual time'.
As input for this exercise, the NSDNAME value in authoritative name
server resource records (NS) in the Root Zone (SOA:2003073101) were
resolved for their addresses. A unique pair of name and address is
regarded as a single nameserver for this survey. These nameservers were
queried [1] for their clock value. Not every server responded, which
does not imply that a name server was not running.
A received clock value is then subtracted by the 'actual time'. This
actual time is the mean of recorded time 'on send' and 'on receive'.
The recorded time has been synchronized through NTP with a set of
stratum 1 time servers connected to GPS receivers.
There is a 'response timeout' of 2 seconds which implies that there may
be a 2 second fault. Values outside this fault window can be considered
"out of sync".
To give an indication of where a server set for a domain exist in time,
the 'range' is shown for a domain.
Say the TLD example has 5 nameservers, with the following offset:
ns1.example -50 seconds
ns2.example -12 seconds
ns3.example 1 seconds
ns4.example 77 seconds
ns3.example 150 seconds
Then 'range' for TLD 'example' is 200 (i.e. -50 to 150).
Only domains with a range larger then 4 seconds are mentioned below.
Note that a single nameserver may serve multiple zones. If this single
nameserver is N seconds out of sync, all zones served by this server
will be at least N seconds out of sync.
Domain Range Domain Range Domain Range Domain Range
VU. 6 EDU. 7 GOV. 7 KH. 7
NAME. 7 ORG. 7 SB. 8 JM. 11
SG. 11 SO. 13 GF. 15 AO. 17
BG. 17 BM. 17 CV. 17 CZ. 17
EE. 17 HR. 17 IS. 17 LV. 17
MY. 17 NG. 17 NL. 17 PT. 17
RU. 17 SI. 17 SK. 17 ST. 17
YU. 17 SE. 18 UA. 19 IL. 35
AU. 39 PL. 39 VI. 51 HK. 61
TR. 61 PN. 77 SY. 86 MN. 93
NR. 102 KW. 118 NP. 120 MA. 125
SC. 135 FM. 142 CU. 159 DJ. 162
BZ. 163 HU. 164 BB. 165 LU. 167
UZ. 178 NE. 185 MZ. 208 LY. 212
AD. 231 EG. 281 GM. 281 IT. 299
ET. 316 GT. 337 TT. 339 GE. 389
HN. 413 ES. 459 AR. 470 UY. 470
GG. 472 JE. 472 LT. 492 GH. 507
LK. 514 BH. 533 QA. 613 KY. 634
KR. 642 EC. 667 TN. 715 MO. 717
CL. 728 DK. 762 RO. 767 VN. 788
IQ. 824 IN. 826 AI. 908 GQ. 960
CN. 962 MT. 976 KZ. 979 AN. 1041
KM. 1077 JO. 1109 BN. 1143 KE. 1254
TH. 1271 MD. 1338 AW. 1669 CA. 1677
NU. 1824 PRO. 1980 ML. 2231 MR. 2349
CY. 2449 TW. 2482 MG. 2928 PR. 3066
MQ. 3312 BO. 3523 YE. 3555 DZ. 3669
SD. 3767 IE. 3989 MIL. 3989 INT. 4381
MUSEUM. 4475 TD. 4957 MH. 5608 TG. 5913
GR. 5955 AL. 7217 CC. 7725 DM. 7725
SN. 7871 BY. 8949 BI. 11563 CD. 11563
CG. 11563 RW. 11563 IR. 12879 PK. 13242
PY. 14491 BJ. 17872 LB. 25200 OM. 28715
DO. 29051 MW. 29189 VE. 29574 CR. 42495
PA. 42495 NI. 43387 SV. 43819 WS. 46440
GP. 49643 SL. 54184 UG. 56973 NF. 60523
HM. 84227 CX. 87640
[1] The methodology, tools, raw data and more in-depth analysis are not
made public here yet to allow operators to sync their nameservers. It
is however trivial and no secret to many, to determine a servers
timestamp.
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@...ax.se>.
----- End forwarded message -----
Powered by blists - more mailing lists