[nsd-users] xfr errors
Michael Tokarev
mjt at tls.msk.ru
Sun Aug 1 08:52:06 UTC 2021
Hello!
We noticed that one of our slave NSD servers
stopped updating its zones, and are trying to
find out why. The problem we faced is that
there's no understanding why it says what it
says. Even after looking at the code it does
not makes clear :)
Here are the error messages for one domain:
11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: tsig error (Bad Time)
11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: bad tsig signature
11:37:18 panda nsd[1094]: xfrd: zone corpit.ru received error code SERVER NOT AUTHORITATIVE FOR ZONE from 192.168.177.15 at 54
(yes we run nsd on a non-standard port, that's not a problem).
I can only guess the main error is "Bad Time", and
the other two are the causes (but again I can be
wrong). But even for the first "BADTIME" error, -
is it coming from the DNSSEC stuff (if yes, what the
problem is?), or from the usage of authorization key
when doing XFR?
Here's our config for the transfer:
master (192.168.177.15):
zone:
name: "corpit.ru"
zonefile: "/var/lib/dns/corpit.ru.signed"
# panda
notify: 192.168.19.1 at 54 mother2panda
provide-xfr: 192.168.19.1 mother2panda
key:
name: mother2panda
algorithm: hmac-sha1
secret: "..."
and the secondary (panda):
zone:
name: "corpit.ru"
zonefile: "corpit.ru"
request-xfr: AXFR 192.168.177.15 at 54 mother2panda
allow-notify: 192.168.177.15 mother2panda
(with the same key definition).
Thanks!
/mjt
More information about the nsd-users
mailing list