Timekeeping (was Re: tsig verify failure)

James A Griffin agriffin at cpcug.org
Sun Apr 8 14:21:59 UTC 2001 

Maximo,

I notice from the email header that your time zone is +0900 and that the
offset being applied in the log messages below is +0900.  This suggests
that your hardware clock, your system clock, and your TIMEZONE (TZ)
setting are messed up.  IIRC, you are running a Linux distribution.  If
so, look at /etc/sysconfig/clock.

Like all good Un*x sysadmins, I set the hardware clock (the one you see
when you do a CMOS Setup when your machine is booting up) to UTC
(sometime called GMT, or Zulu) time.  I'm on the East coast of USA so my
clock file look like this:

[artch at minerva artch]$ cat /etc/sysconfig/clock
ARC=false
UTC=true
ZONE=America/New_York  

Users of Microsoft products, however, have problems with this approach
since Windows operating systems expect the hardware clock to be set to
local time and will cause it to be set and reset of "daylight savings"
or "summer time" changes.

It is necessary for the clocks on the three machines (SK, CA, FI?) to be
synchnonized with one another.  That is to say, they should all have the
same idea as to what time it is taking into account the timezone.  It is
interesting to note that the clocks do not have to be accurate with
respect to "realtime", they just have to be in agreement among
themselves.  The reason that they must have the same ideas as to "time"
is that the signed messages have a timestamp and an associated period
durning which they are considered valid.  This help to prevent some
types of attack (e.g., replay).

HOWEVER, it is better, much better, if they are also in agreement with
"realtime."

For more information on time, timekeeping, and network time protocol
(NTP) visit the following:

http://www.ijs.si/time/  (This is a very good site, rich in facts and
good links)
http://tycho.usno.navy.mil/
http://www.boulder.nist.gov/timefreq/
http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-a-faq.htm

Regards,
Jim

Maximo Ramos wrote:
> 
> Hi
> 
> I have been working all day in this DDNS ... works like a charm, but
> only locally :(
> 
> named[24526]: adding an RR
> named[24526]: delete all rrsets from a name
> named[24526]: adding an RR
> 
> However, a remote host in Canada (I am in South Korea) is trying to
> use nsupdate with *the same key* and the same arguments I use locally, but:
> 
> named[24526]: client X.X.X.X#1073: request has invalid signature: tsig verify failure
> 
> I searched in the mailing list archives and found:
> 
> > Have you checked that the clocks on the client and server are
> > synchronised? TSIGs include a timestamp to reduce the potential for
> > replay attacks. If the client and server's clocks are out by too
> > much, TSIG validation fails.
> 
> Of course the time is different!!!! I am trying to allow two friends
> in Canada and Finland to update my domain zone, and they DONT have NS
> servers, nor static IP addresses. They are just dumb clients.
> 
> Is there any workaround??
> 
> BTW, after I implemented views and some other stuff, in my syslogd
> (Linux 2.4.2) the entries concerning named have a weird time, like
> this:
> 
> Apr  8 10:04:48 sputnik named[24526]:
> Apr  8 10:06:19 sputnik named[24526]:
> Apr  8 19:12:31 sputnik proftpd[24580]:
> Apr  8 19:13:28 sputnik proftpd[24582]:
> Apr  8 19:13:31 sputnik PAM_pwdb[24582]:
> 
> Here there are more, after a restart of named:
> 
> Apr  8 10:17:47 sputnik named[24526]: shutting down
> Apr  8 10:17:47 sputnik named[24526]: no longer listening on
> Apr  8 10:17:47 sputnik named[24526]: no longer listening on
> Apr  8 10:17:47 sputnik named[24526]: no longer listening on
> Apr  8 10:17:47 sputnik named[24524]: exiting
> Apr  8 19:17:47 sputnik named: named shutdown succeeded
>        ^^^^^^^^
> 
> Apr  8 10:17:48 sputnik named[24626]: starting BIND 9.1.1 -t /chroot/named -u
> Apr  8 10:17:48 sputnik named[24626]: using 1 CPU
> Apr  8 10:17:48 sputnik named[24628]: loading configuration from
> Apr  8 10:17:48 sputnik named[24628]: no IPv6 interfaces found
> Apr  8 10:17:48 sputnik named[24628]: listening on IPv4 interface
> Apr  8 10:17:48 sputnik named[24628]: listening on IPv4 interface
> Apr  8 10:17:48 sputnik named[24628]: listening on IPv4 interface
> Apr  8 10:17:48 sputnik named[24628]: running
> Apr  8 19:17:48 sputnik named: named startup succeeded
>        ^^^^^^^^
> 
> This is the weirdest thing I have ever seen!
> 
> Best regards!
> 
> --
> ----------------------------------------------------
> Maximo Ramos
> >From The Land of The Morning Calm
> "I am free of prejudices. I hate everyone equally."
> ----------------------------------------------------

More information about the bind-users mailing list