[Full-Disclosure] [roy@logmess.com: TLD nameserver time survey.]

From: Len Rose (len_at_netsys.com)
Date: 08/05/03

  • Next message: sec-labs team: "[Full-Disclosure] [sec-labs] Zone Alarm Device Driver vulnerability"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 5 Aug 2003 07:23:20 -0400
    
    

    ----- Forwarded message from Roy Arends <roy@logmess.com> -----

    Date: Tue, 5 Aug 2003 12:30:06 +0200 (CEST)
    From: Roy Arends <roy@logmess.com>
    To: dnsop@cafax.se
    Subject: TLD nameserver time survey.

    Hello,

    I've done a small survey wrt tld nameserver set. Results are below.

    Comments are sollicited.

    Thanks, regards

    Roy

    ----
    Introduction.
       Securing the DNS system has a common requirement. The set of systems,
       including stub resolvers, recursive resolvers and authoritative servers
       need to agree on time when DNS protocols such as TSIG, SIG(0)  and
       DNSSEC are involved. In the scope of those protocols, time is a
       factor in the defense against replay attacks.
       Time may be less a factor for authoritative nameservers regardless
       whether DNSSEC is involved, since it is recommended that signing DNS
       data for DNSSEC is done offline, i.e. an authoritative nameserver does
       not need to be in sync for purposes of answering a query. Note that a
       secured zonetransfer (TSIG/SIG(0) + IXFR/AXFR) requires the servers
       to be in sync.
       A recursive nameserver needs to be in sync to verify DNSSEC data.
       Recursive nameservers were not part of this survey, though some servers
       in this survey happen to offer recursion.
    Time Survey.
       As an indication, clocks at authoritative nameservers responsible for
       the top level domains (TLDs) were compared against 'actual time'.
       As input for this exercise, the NSDNAME value in authoritative name
       server resource records (NS) in the Root Zone (SOA:2003073101) were
       resolved for their addresses. A unique pair of name and address is
       regarded as a single nameserver for this survey. These nameservers were
       queried [1] for their clock value. Not every server responded, which
       does not imply that a name server was not running.
       A received clock value is then subtracted by the 'actual time'. This
       actual time is the mean of recorded time 'on send' and 'on receive'.
       The recorded time has been synchronized through NTP with a set of
       stratum 1 time servers connected to GPS receivers.
       There is a 'response timeout' of 2 seconds which implies that there may
       be a 2 second fault. Values outside this fault window can be considered
       "out of sync".
       To give an indication of where a server set for a domain exist in time,
       the 'range' is shown for a domain.
       Say the TLD example has 5 nameservers, with the following offset:
            ns1.example   -50 seconds
            ns2.example   -12 seconds
            ns3.example     1 seconds
            ns4.example    77 seconds
            ns3.example   150 seconds
       Then 'range' for TLD 'example' is 200 (i.e. -50 to 150).
       Only domains with a range larger then 4 seconds are mentioned below.
       Note that a single nameserver may serve multiple zones. If this single
       nameserver is N seconds out of sync, all zones served by this server
       will be at least N seconds out of sync.
       Domain   Range  Domain   Range  Domain   Range  Domain   Range
       VU.      6      EDU.     7      GOV.     7      KH.      7
       NAME.    7      ORG.     7      SB.      8      JM.      11
       SG.      11     SO.      13     GF.      15     AO.      17
       BG.      17     BM.      17     CV.      17     CZ.      17
       EE.      17     HR.      17     IS.      17     LV.      17
       MY.      17     NG.      17     NL.      17     PT.      17
       RU.      17     SI.      17     SK.      17     ST.      17
       YU.      17     SE.      18     UA.      19     IL.      35
       AU.      39     PL.      39     VI.      51     HK.      61
       TR.      61     PN.      77     SY.      86     MN.      93
       NR.      102    KW.      118    NP.      120    MA.      125
       SC.      135    FM.      142    CU.      159    DJ.      162
       BZ.      163    HU.      164    BB.      165    LU.      167
       UZ.      178    NE.      185    MZ.      208    LY.      212
       AD.      231    EG.      281    GM.      281    IT.      299
       ET.      316    GT.      337    TT.      339    GE.      389
       HN.      413    ES.      459    AR.      470    UY.      470
       GG.      472    JE.      472    LT.      492    GH.      507
       LK.      514    BH.      533    QA.      613    KY.      634
       KR.      642    EC.      667    TN.      715    MO.      717
       CL.      728    DK.      762    RO.      767    VN.      788
       IQ.      824    IN.      826    AI.      908    GQ.      960
       CN.      962    MT.      976    KZ.      979    AN.      1041
       KM.      1077   JO.      1109   BN.      1143   KE.      1254
       TH.      1271   MD.      1338   AW.      1669   CA.      1677
       NU.      1824   PRO.     1980   ML.      2231   MR.      2349
       CY.      2449   TW.      2482   MG.      2928   PR.      3066
       MQ.      3312   BO.      3523   YE.      3555   DZ.      3669
       SD.      3767   IE.      3989   MIL.     3989   INT.     4381
       MUSEUM.  4475   TD.      4957   MH.      5608   TG.      5913
       GR.      5955   AL.      7217   CC.      7725   DM.      7725
       SN.      7871   BY.      8949   BI.      11563  CD.      11563
       CG.      11563  RW.      11563  IR.      12879  PK.      13242
       PY.      14491  BJ.      17872  LB.      25200  OM.      28715
       DO.      29051  MW.      29189  VE.      29574  CR.      42495
       PA.      42495  NI.      43387  SV.      43819  WS.      46440
       GP.      49643  SL.      54184  UG.      56973  NF.      60523
       HM.      84227  CX.      87640
       [1] The methodology, tools, raw data and more in-depth analysis are not
       made public here yet to allow operators to sync their nameservers. It
       is however trivial and no secret to many, to determine a servers
       timestamp.
    #----------------------------------------------------------------------
    # To unsubscribe, send a message to <dnsop-request@cafax.se>.
    ----- End forwarded message -----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: sec-labs team: "[Full-Disclosure] [sec-labs] Zone Alarm Device Driver vulnerability"

    Relevant Pages

    • Re: routing table problem after power failure (sarge)
      ... nameserver 194.159.73.135 ... ;; connection timed out; no servers could be reached ... tried to ping 127.0.0.1 router and lan, ...
      (Debian-User)
    • Re: [opensuse] Re: postfix: Name service error
      ... nameserver 202.156.1.58 ... If you only get output lines starting with ";" signs these name servers ... are not allowing access from your ISP. ... Hi Lars, ...
      (SuSE)
    • Re: Internet Time Out
      ... the Names Servers for star-kcorp.com are found as below. ... star-kcorp.com nameserver = dns3.name-services.com ... Are all these your DNS servers?? ... Further are you using a third party firewall? ...
      (microsoft.public.windows.server.dns)
    • Re: How to fix resolv.conf?
      ... nameserver 68.87.68.162 ... My dns servers do not now change as a result. ...
      (Debian-User)