nsd users - Aug 2021 - xfr errors

On 01/08/2021 10:52, Michael Tokarev via nsd-users wrote:

Hi Michael,
> Here are the error messages for one domain:
> 
> 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54:
> tsig error (Bad Time)
> 11:25:35 panda nsd[1094]: xfrd: zone corpit.ru, from 192.168.177.15 at 54:
> bad tsig signature
> 11:37:18 panda nsd[1094]: xfrd: zone corpit.ru received error code
> SERVER NOT AUTHORITATIVE FOR ZONE from 192.168.177.15 at 54
> 
> (yes we run nsd on a non-standard port, that's not a problem).
> 
> I can only guess the main error is "Bad Time", and
> the other two are the causes (but again I can be
> wrong). But even for the first "BADTIME" error, -
> is it coming from the DNSSEC stuff (if yes, what the
> problem is?), or from the usage of authorization key
> when doing XFR?
TSIG requires the time on the primary and secondary to be synchronised
to within 5 minutes. Check the system time on your two servers. One of
them has probably drifted more than 5 minutes. If you're not already
running something like ntp or chrony, you should do that to keep the
time accurate on these servers.

Regards,
Anand

01.08.2021 12:12, Anand Buddhdev via nsd-users wrote:
> TSIG requires the time on the primary and secondary to be synchronised
> to within 5 minutes. Check the system time on your two servers. One of
> them has probably drifted more than 5 minutes. If you're not already
> running something like ntp or chrony, you should do that to keep the
> time accurate on these servers.
The time is syncronized within microseconds. We're running time sync
daemons on both, and both works as expected. This is the first thing
I checked - if the time is okay - yes it is, ticking exactly in line
on both servers.

I'm trying to rebuild NSD with #ifdebug turned on in the place where
BADTIME is returned, but so far it doesn't work, - apparently it tries
to print to a closed filedescriptor :)

Thanks!

/mjt