dig warns that some TSIG could not be validated

Tony Finch dot at dotat.at
Fri Apr 6 10:38:53 UTC 2018

Anand Buddhdev <anandb at ripe.net> wrote:

> ;; WARNING -- Some TSIG could not be validated
> While I've seen TSIG failures caused by key mismatch, or mismatched time
> between servers, I've never seen a warning like this before, about TSIG
> validation, and I don't know what it means.

You should find some comments in the output like:

	;; Couldn't verify signature: ...

which might explain a bit more.

There is a weird bit in the TSIG spec, RFC 2845:

   4.4. TSIG on TCP connection

   A DNS TCP session can include multiple DNS envelopes.  This is, for
   example, commonly used by zone transfer.  Using TSIG on such a
   connection can protect the connection from hijacking and provide data
   integrity.  The TSIG MUST be included on the first and last DNS
   envelopes.  It can be optionally placed on any intermediary
   envelopes.  It is expensive to include it on every envelopes, but it
   MUST be placed on at least every 100'th envelope.

I haven't looked at BIND's handling of TSIG for AXFR in detail, so I
don't know how it handles this case, but it is the kind of tricky area
where interop bugs lurk. I haven't looked at Secure64 at all so who knows
what it does :-)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Shannon: Cyclonic 7 to severe gale 9, becoming variable 3 or 4. Very rough or
high, becoming rough. Showers. Moderate or poor, occasionally good later.

More information about the bind-users mailing list