tsig verify failure

Bob Vance bobvance at alumni.caltech.edu
Wed Apr 11 17:13:59 UTC 2001 

Geessshh!

Let me rephrase my post, which was intended to be mildly humorous, since
I assumed that most people on this list were probably aware of the
security alert:

-
While this is not to imply a vulnerability in the Network Time Protocol
(NTP), itself, certain implementations of NTP have a vulnerability that
can allow root access to a system running one of those implementations.

Before embarking on any implementation of NTP, one should be aware of
this situation and be sure that the particular implementation intended
is not subject to this attack.
-

There.  Is that OK?


Jim said:
   For gratification, sex is your friend.

I said:
   Except for AIDS :)

Jim said:
   One should not confuse Aids with a particular implementation of sex.

To which I reply:
   Ooops.  You are correct.  My statement was misleading.
   I did not mean to imply that all sex is vulnerable to Aids
transmission.  Indeed, it is true that only that certain implementations
of sex carry this danger.  However, I believe that anyone planning to
engage in an implementation of sex should be aware of the potential
danger, which is all that I was trying to point out.  I believe that it
would be prudent for anyone entertaining an implementation of sex to be
sure that the particular one under consideration does not have this
vulnerability.


BOTTOM LINE:
The fact remains that, if you engage in NTP, you *may* be vulnerable to
a root exploit, so you should be aware of this and check out the facts
for your particular case.


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of peter at icke-reklam.ipsec.nu.invalid
Sent: Sunday, April 08, 2001 11:32 AM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: Re: tsig verify failure



Bob Vance <bobvance at alumni.caltech.edu> wrote:

> Of course we would expect time-zone difference not to matter, but what
> *is* the acceptable difference.

>> the Network Time Protocol is your friend

> Except for the just-released buffer overflow problem that allows root
> access !! ;>)

Network Time Protocol is still your friend, either by using Internet
servers
and a safe ntp-daemon, or by syncronizing via a GPS or simular
reference.

Even if som (most) ntp daemins seems vulnerable, some solutions are
available ( like running ntp in you neighborhood cisco, and syncronizing
to that).

Depending on what OS you use, some vendors have already shipped versions
that
is not vulnerable :
"ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-
004.txt.asc"
is one such patch.




> -------------------------------------------------
> Tks        | <mailto:BVance at sbm.com>
> BV         | <mailto:BobVance at alumni.caltech.edu>
> Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
> Vox 770-623-3430           11455 Lakefield Dr.
> Fax 770-623-3429           Duluth, GA 30097-1511
> =================================================





> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Jim Reid
> Sent: Sunday, April 08, 2001 8:38 AM
> To: Maximo Ramos
> Cc: bind-users at isc.org
> Subject: Re: tsig verify failure


>>>>>> "Maximo" == Maximo Ramos <maximo at violadores.org> writes:

>     Maximo> named[24526]: client X.X.X.X#1073: request has invalid
> signature: tsig verify failure

>     Maximo> I searched in the mailing list archives and found:

>     >> Have you checked that the clocks on the client and server are
>     >> synchronised? TSIGs include a timestamp to reduce the potential
>     >> for replay attacks. If the client and server's clocks are out
>     >> by too much, TSIG validation fails.

>     Maximo> Of course the time is different!!!! I am trying to allow
>     Maximo> two friends in Canada and Finland to update my domain
>     Maximo> zone, and they DONT have NS servers, nor static IP
>     Maximo> addresses. They are just dumb clients.

> Time zones don't matter. UTC is the same everywhere. Most computer
> systems use UTC for timekeeping and convert from that to the local
> timezone when presenting the time of day to and end user. Go look at
> the man pages for gettimeofday() and ctime(). Provided the computers
> in Canada and Finland have the same idea of what UTC is -- the Network
> Time Protocol is your friend -- the timestamps in the transaction
> signatures (TSIGs) will be OK which will mean they will validate.





--
Peter Håkanson
        IPSec  Sverige      (At the Riverside of Gothenburg, home of
Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam
out.
	   Remove "icke-reklam"and "invalid"  and it works.

More information about the bind-users mailing list