[nsd-users] xfr errors

Anand Buddhdev anandb at ripe.net
Sun Aug 1 09:12:35 UTC 2021


On 01/08/2021 10:52, Michael Tokarev via nsd-users wrote:

Hi Michael,

> Here are the error messages for one domain:
> 
> 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54:
> tsig error (Bad Time)
> 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54:
> bad tsig signature
> 11:37:18 panda nsd[1094]: xfrd: zone corpit.ru received error code
> SERVER NOT AUTHORITATIVE FOR ZONE from 192.168.177.15 at 54
> 
> (yes we run nsd on a non-standard port, that's not a problem).
> 
> I can only guess the main error is "Bad Time", and
> the other two are the causes (but again I can be
> wrong). But even for the first "BADTIME" error, -
> is it coming from the DNSSEC stuff (if yes, what the
> problem is?), or from the usage of authorization key
> when doing XFR?

TSIG requires the time on the primary and secondary to be synchronised
to within 5 minutes. Check the system time on your two servers. One of
them has probably drifted more than 5 minutes. If you're not already
running something like ntp or chrony, you should do that to keep the
time accurate on these servers.

Regards,
Anand


More information about the nsd-users mailing list