tsig verify failure

Brad Knowles brad.knowles at skynet.be
Sun Apr 8 12:41:18 UTC 2001


At 7:21 PM +0900 4/8/01, Maximo Ramos wrote:

>  I searched in the mailing list archives and found:
>
>>  Have you checked that the clocks on the client and server are
>>  synchronised? TSIGs include a timestamp to reduce the potential for
>>  replay attacks. If the client and server's clocks are out by too
>>  much, TSIG validation fails.
>
>  Of course the time is different!!!! I am trying to allow two friends
>  in Canada and Finland to update my domain zone, and they DONT have NS
>  servers, nor static IP addresses. They are just dumb clients.

	I'd be very surprised if nsupdate and the TSIG mechanism didn't 
automatically account for time zone differences, so long as the time 
zone settings on those machines were set correctly, and this 
information was appropriately available to the program in question. 
You'd then just have to make sure that the clocks were properly 
adjusted within their respective time zones.

	All of this stuff should be linked back to UTC internally within 
the respective programs, so that no one anywhere needs to worry about 
time zone differences.


	Are you sure that their clocks are properly set and synchronized 
within their time zones?

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list