cstamas+nsd at cstamas.hu
2024-May-17 06:34 UTC
[nsd-users] query: bad tsig signature for key
hi, At least with a recent version if it is a time sync issue nsd will do a specific log msg that. Laura, can you send over the actual configuration? (maybe replacing the key with a placeholder or rotating the keys afterwards) It sounds strange if nsd checks tsig on the notify, but allow xfr without it. Regards, Tam?s May 16, 2024 16:14:59 Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl>:> Hi Laura, > > TSIG failures can occur if the time on the?client and server differs by more than 5?minutes. Perhaps the time on one of the systems (likely the primary) is wrong by more than 5 minutes. > > Regards, > Anand > > On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote: >> Could someone kindly explain what "query: bad tsig signature for key" means and how to fix it ? >> >> >> I have quadruple checked (a) tsig key matches both sides (b) tsig algo matches both sides. >> >> >> Primary is PowerDNS 4.9.0 (from the PowerDNS repo) >> Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) >> >> >> The secondaries do not receive notifies from primary, instead posting the above error to logs. So they are currently relying on SOA pull refresh behaviour. >> >> >> Setting "verbosity:2" in nsd.conf has absolutely zero effect.? It produces zero extra detail in logs. >> >> >> Thanks ! >> >> >> Laura >> >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
n5d9xq3ti233xiyif2vp at pm.me
2024-May-17 15:34 UTC
[nsd-users] query: bad tsig signature for key
It wasn't time sync. In the end I discovered that there is apparently such a thing as a minimum tsig key length ? My original key was generated using "openssl rand -base64 32". I generated a new key with pdnsutil from PowerDNS instead (pdnsutil generate-tsig-key mykey hmac-sha256) and everything started working. The output from pdnsutil was longer, I didn't check the size, but it was visibly longer than the openssl output. On Friday, 17 May 2024 at 07:34, cstamas+nsd--- via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:> hi, > > At least with a recent version if it is a time sync issue nsd will do a specific log msg that. > > Laura, > can you send over the actual configuration? > (maybe replacing the key with a placeholder or rotating the keys afterwards) > > It sounds strange if nsd checks tsig on the notify, but allow xfr without it. > > Regards, > Tam?s > > May 16, 2024 16:14:59 Anand Buddhdev via nsd-users nsd-users at lists.nlnetlabs.nl: > > > Hi Laura, > > > > TSIG failures can occur if the time on the client and server differs by more than 5 minutes. Perhaps the time on one of the systems (likely the primary) is wrong by more than 5 minutes. > > > > Regards, > > Anand > > > > On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users nsd-users at lists.nlnetlabs.nl wrote: > > > > > Could someone kindly explain what "query: bad tsig signature for key" means and how to fix it ? > > > > > > I have quadruple checked (a) tsig key matches both sides (b) tsig algo matches both sides. > > > > > > Primary is PowerDNS 4.9.0 (from the PowerDNS repo) > > > Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) > > > > > > The secondaries do not receive notifies from primary, instead posting the above error to logs. So they are currently relying on SOA pull refresh behaviour. > > > > > > Setting "verbosity:2" in nsd.conf has absolutely zero effect. It produces zero extra detail in logs. > > > > > > Thanks ! > > > > > > Laura > > > > > > _______________________________________________ > > > nsd-users mailing list > > > nsd-users at lists.nlnetlabs.nl > > > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users