[Yeti DNS Discuss] Yeti back to the future

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Oct 23 07:13:49 UTC 2015


I was reviewing the security of the Dahu machines in the light of the
NTP Back to the Future attack
<http://www.cs.bu.edu/~goldbe/NTPattack.html>, specially since their
paper often mentions DNS.

Am I right in saying that the offset of the clock is not very
important for an authoritative name server (besides sysadmin issues
like having exploitable logs)? An authoritative DNS server (unlike a
validating resolver, or a signer) does not care about the time, no?

Four of the Yeti root name servers reply to NTP queries and three of
them give a complete reply.

% for server in $(dig +short +nodnssec @dahu1.yeti.eu.org NS .); do
   printf "%s: " $server; /usr/lib/monitoring-plugins/check_ntp_time  -H $server
done
bii.dns-lab.net.: NTP CRITICAL: No response from NTP server
yeti.bofh.priv.at.: NTP CRITICAL: No response from NTP server
yeti.ipv6.ernet.in.: NTP CRITICAL: No response from NTP server
yeti.aquaray.com.: NTP CRITICAL: No response from NTP server
dahu1.yeti.eu.org.: NTP CRITICAL: Offset unknown|
dahu2.yeti.eu.org.: NTP CRITICAL: No response from NTP server
ns-yeti.bondis.org.: NTP OK: Offset -0.04610881209 secs|offset=-0.046109s;60.000000;120.000000;
yeti-ns.ix.ru.: NTP CRITICAL: No response from NTP server
yeti-ns.tisf.net.: NTP CRITICAL: No response from NTP server
yeti-ns.wide.ad.jp.: NTP OK: Offset 0.004776269197 secs|offset=0.004776s;60.000000;120.000000;
yeti-ns.conit.co.: NTP CRITICAL: No response from NTP server
yeti-ns.as59715.net.: NTP CRITICAL: No response from NTP server
yeti-dns01.dnsworkshop.org.: NTP OK: Offset -0.001009911299 secs|offset=-0.001010s;60.000000;120.000000;
yeti-ns.switch.ch.: NTP CRITICAL: No response from NTP server


More information about the discuss mailing list