TSIG Zone Transfer fails
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Thu Oct 25 06:40:01 UTC 2001
>
> I'm using secondary.com for slave DNS service. I have TSIG configured
> for zone updates. Everything was working great until today. Now zone
> transfers refuse to happen.
>
> Get this in logs
>
> request has invalid signature: tsig verify failure
>
> I have not touched my named.conf which contains all the key and
> transfer data. Secondary.com says everything is cool on there end.
> My only clue is that my system / hardware clock seems to be screwed
> up. My evidence is this. When I ping myself I get this message.
>
> Warning: time of day goes back, taking countermeasures.
Not good.
>
> I understand that TSIG uses a timestamp as one of it's verification
> methods. If my time is screwed up I can see that this would cause a
> failure.
The timestamp is intergal to the replay detection. There is
a couple of minutes difference allowed however.
>
> I tried severla methods of updating my clock includeing
>
> reseting my machine
> updating system time with rdate and a Time server and then updating
> hardware time with system time and then resetiing
>
> none of these seem to work. I still get the same message when i ping
> myself.
>
> Maybe I am heading down the wrong path with this time thing. The only
> other significant event that I have done to my machine is setup qmail.
>
> Any ideas?
>
> Some info
>
> Redhat Linux 7.1 with kernel 2.4.9
> Bind 9.1.0
BIND 9.1.3 is the latest release and it will differentiate
between clock skew and other forms of TSIG failure in its
error messages.
Mark
> domain halfdimension.com (nameserver ns1.halfdimension.com)
> IP address 216.36.86.238
>
> Thanks
>
> Kevin
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list