TSIG-based zone transfer and clock sync

For a long time, I was puzzled why accurate time sync is needed between master and slave nameservers in Transaction Signature (TSIG) based zone transfer. I finally got the answer.

 To recap on the concept of TSIG, we must recognize that slave server trusts a master server based on IP in the config file.  But IP address can be spoofed and there is a likelihood of attackers passing hacked zone file to the slave server.  A better approach is for master and slave to use a common key.  Master server would generate signature of hash while slave will decrypt the signature and get back the hash and compare with the received zone file.

When signature is generated, there is a times tamp in particular field.  The time stamp is useful to avoid replay attack later on as the time stamp is far deviated from the current system clock.  If I still remember correctly, the tolerance for time stamp is 5 minutes in Bind. Only if the attacker can do the replay attack within the next 5 minutes, otherwise the zone file together with signature will be ignored.  By same logic, if the difference of system clock in master and slave is more than 5 minutes, the legitimate TSIG-based zone transfer will also fail.

That is why the master and slave must sync with a NTP server in a more frequent manner.

No comments: