tsig verify failure

Bob Vance bobvance at alumni.caltech.edu
Sun Apr 8 13:59:10 UTC 2001 

Of course we would expect time-zone difference not to matter, but what
*is* the acceptable difference.

> the Network Time Protocol is your friend

Except for the just-released buffer overflow problem that allows root
access !! ;>)


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Jim Reid
Sent: Sunday, April 08, 2001 8:38 AM
To: Maximo Ramos
Cc: bind-users at isc.org
Subject: Re: tsig verify failure


>>>>> "Maximo" == Maximo Ramos <maximo at violadores.org> writes:

    Maximo> named[24526]: client X.X.X.X#1073: request has invalid
signature: tsig verify failure

    Maximo> I searched in the mailing list archives and found:

    >> Have you checked that the clocks on the client and server are
    >> synchronised? TSIGs include a timestamp to reduce the potential
    >> for replay attacks. If the client and server's clocks are out
    >> by too much, TSIG validation fails.

    Maximo> Of course the time is different!!!! I am trying to allow
    Maximo> two friends in Canada and Finland to update my domain
    Maximo> zone, and they DONT have NS servers, nor static IP
    Maximo> addresses. They are just dumb clients.

Time zones don't matter. UTC is the same everywhere. Most computer
systems use UTC for timekeeping and convert from that to the local
timezone when presenting the time of day to and end user. Go look at
the man pages for gettimeofday() and ctime(). Provided the computers
in Canada and Finland have the same idea of what UTC is -- the Network
Time Protocol is your friend -- the timestamps in the transaction
signatures (TSIGs) will be OK which will mean they will validate.

More information about the bind-users mailing list