n5d9xq3ti233xiyif2vp at pm.me
2024-May-16 06:48 UTC
[nsd-users] query: bad tsig signature for key
Could someone kindly explain what "query: bad tsig signature for key" means and how to fix it ? I have quadruple checked (a) tsig key matches both sides (b) tsig algo matches both sides. Primary is PowerDNS 4.9.0 (from the PowerDNS repo) Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) The secondaries do not receive notifies from primary, instead posting the above error to logs. So they are currently relying on SOA pull refresh behaviour. Setting "verbosity:2" in nsd.conf has absolutely zero effect.? It produces zero extra detail in logs. Thanks ! Laura
Hi Laura, TSIG failures can occur if the time on the client and server differs by more than 5 minutes. Perhaps the time on one of the systems (likely the primary) is wrong by more than 5 minutes. Regards, Anand On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users < nsd-users at lists.nlnetlabs.nl> wrote:> Could someone kindly explain what "query: bad tsig signature for key" > means and how to fix it ? > > > I have quadruple checked (a) tsig key matches both sides (b) tsig algo > matches both sides. > > > Primary is PowerDNS 4.9.0 (from the PowerDNS repo) > Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) > > > The secondaries do not receive notifies from primary, instead posting the > above error to logs. So they are currently relying on SOA pull refresh > behaviour. > > > Setting "verbosity:2" in nsd.conf has absolutely zero effect. It produces > zero extra detail in logs. > > > Thanks ! > > > Laura > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240516/b5687d99/attachment.htm>