Hello! We noticed that one of our slave NSD servers stopped updating its zones, and are trying to find out why. The problem we faced is that there's no understanding why it says what it says. Even after looking at the code it does not makes clear :) Here are the error messages for one domain: 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: tsig error (Bad Time) 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: bad tsig signature 11:37:18 panda nsd[1094]: xfrd: zone corpit.ru received error code SERVER NOT AUTHORITATIVE FOR ZONE from 192.168.177.15 at 54 (yes we run nsd on a non-standard port, that's not a problem). I can only guess the main error is "Bad Time", and the other two are the causes (but again I can be wrong). But even for the first "BADTIME" error, - is it coming from the DNSSEC stuff (if yes, what the problem is?), or from the usage of authorization key when doing XFR? Here's our config for the transfer: master (192.168.177.15): zone: name: "corpit.ru" zonefile: "/var/lib/dns/corpit.ru.signed" # panda notify: 192.168.19.1 at 54 mother2panda provide-xfr: 192.168.19.1 mother2panda key: name: mother2panda algorithm: hmac-sha1 secret: "..." and the secondary (panda): zone: name: "corpit.ru" zonefile: "corpit.ru" request-xfr: AXFR 192.168.177.15 at 54 mother2panda allow-notify: 192.168.177.15 mother2panda (with the same key definition). Thanks! /mjt
On 01/08/2021 10:52, Michael Tokarev via nsd-users wrote: Hi Michael,> Here are the error messages for one domain: > > 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: > tsig error (Bad Time) > 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54: > bad tsig signature > 11:37:18 panda nsd[1094]: xfrd: zone corpit.ru received error code > SERVER NOT AUTHORITATIVE FOR ZONE from 192.168.177.15 at 54 > > (yes we run nsd on a non-standard port, that's not a problem). > > I can only guess the main error is "Bad Time", and > the other two are the causes (but again I can be > wrong). But even for the first "BADTIME" error, - > is it coming from the DNSSEC stuff (if yes, what the > problem is?), or from the usage of authorization key > when doing XFR?TSIG requires the time on the primary and secondary to be synchronised to within 5 minutes. Check the system time on your two servers. One of them has probably drifted more than 5 minutes. If you're not already running something like ntp or chrony, you should do that to keep the time accurate on these servers. Regards, Anand