DNS update TSIG expired problem

Hello everybody,

I've set up a DNS (BIND 9.2.3, in Mandrake 10) and I have the following problem:

I want to send dynamic updates in order to change the A RR of a mobile node.

This is what I've done so far:

1) Created a TSIG key using the command:

dnssec-keygen -a hmac-md5 -b 128 -n HOST hermes.thedomain.

2) Inserted it in the named.conf file like this:

key hermes.thedomain. {
algorithm hmac-md5;
secret "blablabla found in the .privet file==";
};

3) Used the following syntax in the zone section of the named.conf file:

update-policy {
grant hermes.thedomain. name hermes.thedomain. A;
or
grant herme.thedomain. self A;
or even
grant *.thedomain. self A;
};

The RR I want to update is that of hermes.thedomain.
In order to do that I use dnsjava-1.6.2 API.

Now the problem : The DNS always rejects my update because
(as mentioned in the log) the TSIG I use is expired ("Signature has expired"). Is it something with TTL?(I dont think so but I tried different values, not succesfully).

Can you help??

Thanks in advance,
Ntinoas

yay, an expert question! Not only have I setup dynamic update w/ TSIG, but I've even coded an IP update client that makes use of it. I can most definately help you.

Now you say that the error is the signature has expired. Assuming that is indeed the error, the problem is the SIGTIME field in the request TSIG record data. This has nothing to do with TTL. When the client forges the update request, it includes the system's current time. When the server recieves the request, part of the authentication process is making sure that packet isn't too old. The client also tells the server how long before the packet expires. If the server determines that the server system time is older than the client system time + expire offset, then it rejects the request.

Now that you know what's going on, there's a few ways to fix the problem.

1) If this is at all possible, then this is what you need to do. Sync up the client's time with the server's time.
2) increase the expire value. This is configurable in the nsupdate utility that comes with BIND.
3) This is the last resort, and it is what I had to do for my own dynamic IP clients. Code your own dynamic IP client that grabs the server's time then sends the request using the server's time. Implementation varies.

P.S. If you're having problems updating the record locally, then the SIGTIME field is not the problem and you should let me know and I'll diagnose the problem for myself.

Thank you very much for your help!!

The problem was with the time zone of the system. While the clock was set correctly (right time for Athens), the time zone was that of New York, causing the system to shift the clock 7 hours forward and thus discarding the update request.

Ntinoas.