Problems with TSIG/DNSSEC
Kevin Darcy
kcd at daimlerchrysler.com
Thu Aug 16 21:12:18 UTC 2001
They have to be within a certain "fudge" of each other, about 5 minutes or
thereabouts.
The reason for giving limited lifetimes to crypto signatures is so that there
isn't enough time for the bad guys to decrypt them. If you want signatures
that are secure for months or years, then you need a much larger key size, and
that's much more expensive to process.
- Kevin
Vinson Armstead - PA wrote:
> I tried setting the date on both server and they are within a few seconds.
> Do they have to be Sync'd for TSIG to work properly???
>
> -----Original Message-----
> From: Danny Mayer [mailto:mayer at gis.net]
> Sent: Thursday, August 16, 2001 10:57 AM
> To: Vinson Armstead - PA; comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Problems with TSIG/DNSSEC
>
> Check the system date/time on both machines. They should be in
> agreement. If you are not running ntp, you should be.
>
> Danny
>
> At 10:19 AM 8/16/01, Vinson Armstead - PA wrote:
> >While experimenting with TSIG & DNSSEC I am receiving the following errors
> >on my master name server:
> >
> >Aug 16 10:08:03.318 dnssec: debug 2: tsig key 'server.domain.com':
> signature
> >is in the future
> >Aug 16 10:08:03.318 security: error: client x.x.x.x#1024: request has
> >invalid signature: tsig verify failure
> >Aug 16 10:08:03.825 dnssec: debug 2: tsig key 'server.domain.com':
> signature
> >is in the future
> >Aug 16 10:08:03.825 security: error: client x.x.x.x#1024: request has
> >invalid signature: tsig verify failure
> >
> >I have checked the "key" & "server" statement on both the master and slave
> >(basically copied the text from one to the other).
> >
> >Zone updates and transfers work fine without using TSIG.
> >
> >Any suggestion??
> >
> >Thanks in advance
> >
> > > Vinson
> >
More information about the bind-users
mailing list