dig warns that some TSIG could not be validated

Anand Buddhdev anandb at ripe.net
Fri Apr 6 10:21:49 UTC 2018

Hello folks,

I'm on CentOS 7, which has an older version of dig from this package:

# rpm -qf /usr/bin/dig

When I use this dig to AXFR a zone from a Secure64 DNSSEC signer
appliance, I'm seeing this at the end of the AXFR:

;; Query time: 32899 msec
;; WHEN: Fri Apr 06 09:36:38 UTC 2018
;; XFR size: 73829 records (messages 295, bytes 4801484)
;; WARNING -- Some TSIG could not be validated

While I've seen TSIG failures caused by key mismatch, or mismatched time
between servers, I've never seen a warning like this before, about TSIG
validation, and I don't know what it means.

I can't see anything strange with the AXFR. I would appreciate it if one
of the BIND developers could explain what this warning means, and
whether it is something to be worried about.


More information about the bind-users mailing list