Could someone kindly explain what "query: bad tsig signature for key" means and how to fix it ?
I have quadruple checked (a) tsig key matches both sides (b) tsig algo matches both sides.
Primary is PowerDNS 4.9.0 (from the PowerDNS repo)
Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo)
The secondaries do not receive notifies from primary, instead posting the above error to logs. So they are currently relying on SOA pull refresh behaviour.
Setting "verbosity:2" in nsd.conf has absolutely zero effect. It produces zero extra detail in logs.
Thanks !
Laura
Hi Laura,
TSIG failures can occur if the time on the client and server differs by more than 5 minutes. Perhaps the time on one of the systems (likely the primary) is wrong by more than 5 minutes.
Regards,
Anand
hi,
At least with a recent version if it is a time sync issue nsd will do a specific log msg that.
Laura,
can you send over the actual configuration?
(maybe replacing the key with a placeholder or rotating the keys afterwards)
It sounds strange if nsd checks tsig on the notify, but allow xfr without it.
Regards,
Tamás
It wasn't time sync.
In the end I discovered that there is apparently such a thing as a minimum tsig key length ?
My original key was generated using "openssl rand -base64 32".
I generated a new key with pdnsutil from PowerDNS instead (pdnsutil generate-tsig-key mykey hmac-sha256) and everything started working. The output from pdnsutil was longer, I didn't check the size, but it was visibly longer than the openssl output.