TSIG Zone Transfer fails

Mark_Andrews at isc.org Mark_Andrews at isc.org
Thu Oct 25 06:40:01 UTC 2001

> I'm using secondary.com for slave DNS service.  I have TSIG configured
> for zone updates.  Everything was working great until today.  Now zone
> transfers refuse to happen.
> Get this in logs
> request has invalid signature: tsig verify failure
> I have not touched my named.conf which contains all the key and
> transfer data.  Secondary.com says everything is cool on there end. 
> My only clue is that my system / hardware clock seems to be screwed
> up.  My evidence is this.  When I ping myself I get this message.
> Warning: time of day goes back, taking countermeasures.

	Not good.

> I understand that TSIG uses a timestamp as one of it's verification
> methods.  If my time is screwed up I can see that this would cause a
> failure.

	The timestamp is intergal to the replay detection.  There is
	a couple of minutes difference allowed however.

> I tried severla methods of updating my clock includeing
> reseting my machine
> updating system time with rdate and a Time server and then updating
> hardware time with system time and then resetiing
> none of these seem to work.  I still get the same message when i ping
> myself.
> Maybe I am heading down the wrong path with this time thing.  The only
> other significant event that I have done to my machine is setup qmail.
> Any ideas?
> Some info
> Redhat Linux 7.1 with kernel 2.4.9
> Bind 9.1.0

	BIND 9.1.3 is the latest release and it will differentiate
	between clock skew and other forms of TSIG failure in its
	error messages.


> domain halfdimension.com (nameserver ns1.halfdimension.com)
> IP address
> Thanks
> Kevin
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list