You should consider eliminating dependence on Internet-delivered NIST time and switch to GPS-based time servers. The GPS network has its own airborne atomic clocks that use a well-disciplined protocol to synchronize to NIST reference atomic time without transiting the Internet. According to NIST’s documentation: “Currently, the GPS system provides time to the general public with uncertainties measured in nanoseconds. With a well-designed receiver system the user can obtain the time to better than 100 ns in a few minutes, and to about +/- 10 ns with a 24 hour average (and a good local clock).” All sources of error in GPS time propagation total less than one millisecond, well within your 50ms tolerance. https://www.nist.gov/pml/time-and-frequency-division/time-services/one-way-g... NIST maintains publicly-accessible logs of al clock differences to provide documented compliance under FINRA clock synchronization rules. [cid:54276CD7-0F1E-4855-BA0B-BFE406A63AB5-L0-001] The log has a one-hour resolution, satisfying the FINRA requirement to verify synchronization “throughout the day”. IP-based GPS clocks are widely available with low-drift oven-controlled crystal oscillators (OXCO), or even internal cesium-based atomic clocks, for as little as a few thousand dollars. This lets you ride out time signal outages of days or even weeks. The US DHS recommends discontinuation of unauthenticated Internet-based reference clocks, owing to their vulnerability to IP address spoofing: https://www.dhs.gov/sites/default/files/publications/GPS-PNT-Best-Practices-... -mel via cell On Jun 14, 2021, at 3:51 AM, Matthew Huff via Outages <outages@outages.org> wrote: We have to query and compare against NIST time servers for FINRA compliance This morning I noticed our systems are unable to DNS query the NIST time servers. Neither our local resolvers or google (8.8.8.8) work. [root@bacall log]# dig @8.8.8.8 time-a-g.nist.gov ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 time-a-g.nist.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36018 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;time-a-g.nist.gov. IN A ;; Query time: 6 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Jun 14 06:27:45 EDT 2021 ;; MSG SIZE rcvd: 46 [root@bacall log]# dig @8.8.8.8 nist.gov in soa ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 nist.gov in soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17779 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nist.gov. IN SOA ;; Query time: 5 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Jun 14 06:31:59 EDT 2021 ;; MSG SIZE rcvd: 37 The time servers are documented here: https://tf.nist.gov/tf-cgi/servers.cgi Using the IP addresses work, it look like the nist.gov domain is offline. Matthew Huff | Director of Technical Operations | OTA Management LLC Office: 914-460-4039 mhuff@ox.com | www.ox.com ......................................................................................................................................... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
