BADTIME
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Jan 17 22:16:07 UTC 2001
On Wed, Jan 17, 2001 at 10:03:31AM +0000, Jim Reid wrote:
> >>>>> "Andrew" == Andrew S Bounds <abounds at bastardville.net> writes:
>
> Andrew> Err/TO getting serial# for "somedomain.com"
> Andrew> SOA TSIG verification from server [aaa.bbb.ccc.ddd], zone somedomain.com: message had BADTIME set (18)
>
> Andrew> The 2 servers are w/in a few minutes of each other.
>
> Fix the clocks! TSIG records include timestamps to prevent replay
> attacks. If the two systems can't agree on the same time, the
> "signatures" won't validate. That's why you get BADTIME errors. Run
> NTP - better still Secure NTP - on the systems. ...
Does a Secure NTP package exist? The www.stime.org Web site has a 1999
expired internet-draft. The URL:
http://ietf.cnri.reston.va.us/internet-drafts/draft-ietf-stime-ntpauth-00.txt
contains the AD 2000 expired internet-draft. Is it going anywhere?
[The Y2K draft speaks of a preliminary SNTP in NTP 4. At URL
http://www.eecis.udel.edu/~ntp/, I only remember an XNTP 3. Ah - the
site has been updated to the point that it takes forever to get through
my firewall, and a preliminary NTP 4.0 is available.]
[I am cc'ing the author of the Secure NTP drafts, to get his take on
progress of stime/SNTP.]
["forever" seems to be mediated by that cute new logo at the top.]
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list