[outages] DNS SERVFAIL for nist.gov

Mon Jun 14 09:39:39 EDT 2021

You should consider eliminating dependence on Internet-delivered NIST time and switch to GPS-based time servers. The GPS network has its own airborne atomic clocks that use a well-disciplined protocol to synchronize to NIST reference atomic time without transiting the Internet.

According to NIST’s documentation:

“Currently, the GPS system provides time to the general public with uncertainties measured in nanoseconds. With a well-designed receiver system the user can obtain the time to better than 100 ns in a few minutes, and to about +/- 10 ns with a 24 hour average (and a good local clock).”

All sources of error in GPS time propagation total less than one millisecond, well within your 50ms tolerance.

https://www.nist.gov/pml/time-and-frequency-division/time-services/one-way-gps-time-transfer

NIST maintains publicly-accessible logs of al clock differences to provide documented compliance under FINRA clock synchronization rules.

[cid:54276CD7-0F1E-4855-BA0B-BFE406A63AB5-L0-001]

The log has a one-hour resolution, satisfying the FINRA requirement to verify synchronization “throughout the day”.

IP-based GPS clocks are widely available with low-drift oven-controlled crystal oscillators (OXCO), or even internal cesium-based atomic clocks, for as little as a few thousand dollars. This lets you ride out time signal outages of days or even weeks.

The US DHS recommends discontinuation of unauthenticated Internet-based reference clocks, owing to their vulnerability to IP address spoofing:

https://www.dhs.gov/sites/default/files/publications/GPS-PNT-Best-Practices-Time-Frequency-Sources-Fixed-Locations-508.pdf

-mel via cell

On Jun 14, 2021, at 3:51 AM, Matthew Huff via Outages <outages at outages.org> wrote:

We have to query and compare against NIST time servers for FINRA compliance This morning I noticed our systems are unable to DNS query the NIST time servers. Neither our local resolvers or google (8.8.8.8) work.

[root at bacall log]# dig @8.8.8.8 time-a-g.nist.gov

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 time-a-g.nist.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36018
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;time-a-g.nist.gov.             IN      A

;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jun 14 06:27:45 EDT 2021
;; MSG SIZE  rcvd: 46

[root at bacall log]# dig @8.8.8.8 nist.gov in soa

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 nist.gov in soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17779
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nist.gov.                      IN      SOA

;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jun 14 06:31:59 EDT 2021
;; MSG SIZE  rcvd: 37

The time servers are documented here: https://tf.nist.gov/tf-cgi/servers.cgi

Using the IP addresses work, it look like the nist.gov domain is offline.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mhuff at ox.com | www.ox.com
.........................................................................................................................................

_______________________________________________
Outages mailing list
Outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20210614/24f6edeb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image0.jpeg
Type: image/jpeg
Size: 631916 bytes
Desc: image0.jpeg
URL: <https://puck.nether.net/pipermail/outages/attachments/20210614/24f6edeb/attachment-0001.jpeg>