[nsd-users] query: bad tsig signature for key

Anand Buddhdev anandb at ripe.net
Thu May 16 14:14:21 UTC 2024


Hi Laura,

TSIG failures can occur if the time on the client and server differs by
more than 5 minutes. Perhaps the time on one of the systems (likely the
primary) is wrong by more than 5 minutes.

Regards,
Anand

On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users <
nsd-users at lists.nlnetlabs.nl> wrote:

> Could someone kindly explain what "query: bad tsig signature for key"
> means and how to fix it ?
>
>
> I have quadruple checked (a) tsig key matches both sides (b) tsig algo
> matches both sides.
>
>
> Primary is PowerDNS 4.9.0 (from the PowerDNS repo)
> Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo)
>
>
> The secondaries do not receive notifies from primary, instead posting the
> above error to logs. So they are currently relying on SOA pull refresh
> behaviour.
>
>
> Setting "verbosity:2" in nsd.conf has absolutely zero effect.  It produces
> zero extra detail in logs.
>
>
> Thanks !
>
>
> Laura
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240516/b5687d99/attachment.htm>


More information about the nsd-users mailing list