Key Expirey.

Osman Shoukry oshoukry at onepage.com
Mon Mar 26 21:10:34 UTC 2001


Thank you,

Problem fixed
there was a 62 min difference between the two machines, I guess it was less
than 1 hour before that is why it didn't give this error, and as soon as
they drifted apart more, the error started to apear.



-----Original Message-----
From: Roy.Arends at nominum.com [mailto:Roy.Arends at nominum.com]
Sent: Monday, March 26, 2001 1:06 PM
To: Osman Shoukry
Cc: 'bind-users at isc.org'
Subject: Re: Key Expirey.



On Mon, 26 Mar 2001, Osman Shoukry wrote:

> Hi all,
> I recently setup the TSIG slave to send and retrieve signed requests to
the
> master.  However I just noticed today that the TSIG started to fail, and
> when I put the DNS in debug mode to see what is going on, I saw these
> entries:
> 
> Mar 26 11:40:16.747 tsig key 'secret': signature has expired
> Mar 26 11:40:16.747 client slave.ip.address#xx: request has invalid
> signature: tsig verify failure
> 
> In the documentation, nothing is mentioned about what the lifetime of the
> key is, and I thought it would be like the Raduis authentication shared
> secret, which never expires.
> 
> To have run in TSIG mode, if the keys expire, it seems to me that I have
to
> write a script that would generate keys every "expiry date -1" and then
> restart the named.
> 
> I am not sure if this is really how things are, or is there something I am
> overlooking....
> 
> Any input on the subject is greatly appreciated,
> 
> Osman Shoukry

Your log did not say the Key expired, but the signature expired, which is
a fundamental difference. Keys do not expire, signatures do.

The clocks on those machine are probably out of sync, or there is a
significant traffic delay while synchronising data.

Regards,

Roy Arends
Nominum





More information about the bind-users mailing list