BADTIME
Jim Reid
jim at rfc1035.com
Wed Jan 17 10:03:31 UTC 2001
>>>>> "Andrew" == Andrew S Bounds <abounds at bastardville.net> writes:
Andrew> Err/TO getting serial# for "somedomain.com"
Andrew> SOA TSIG verification from server [aaa.bbb.ccc.ddd], zone somedomain.com: message had BADTIME set (18)
Andrew> The 2 servers are w/in a few minutes of each other.
Fix the clocks! TSIG records include timestamps to prevent replay
attacks. If the two systems can't agree on the same time, the
"signatures" won't validate. That's why you get BADTIME errors. Run
NTP - better still Secure NTP - on the systems. Oh, and don't hide
real names and addresses behind nonsense like aaa.bbb.ccc.ddd and
"somedomain.com". Concealing relevant data like this is very annoying
and usually counter-productive. Luckily for you, the actual names and
addresses don't matter this time.
More information about the bind-users
mailing list