dig warns that some TSIG could not be validated

Mukund Sivaraman muks at isc.org
Fri Apr 6 11:42:13 UTC 2018


Hi Anand

On Fri, Apr 06, 2018 at 12:21:49PM +0200, Anand Buddhdev wrote:
> Hello folks,
> 
> I'm on CentOS 7, which has an older version of dig from this package:
> 
> # rpm -qf /usr/bin/dig
> bind-utils-9.9.4-51.el7_4.2.x86_64
> 
> When I use this dig to AXFR a zone from a Secure64 DNSSEC signer
> appliance, I'm seeing this at the end of the AXFR:
> 
> ;; Query time: 32899 msec
> ;; SERVER: 193.0.7.194#53(193.0.7.194)
> ;; WHEN: Fri Apr 06 09:36:38 UTC 2018
> ;; XFR size: 73829 records (messages 295, bytes 4801484)
> ;; WARNING -- Some TSIG could not be validated
> 
> While I've seen TSIG failures caused by key mismatch, or mismatched time
> between servers, I've never seen a warning like this before, about TSIG
> validation, and I don't know what it means.
> 
> I can't see anything strange with the AXFR. I would appreciate it if one
> of the BIND developers could explain what this warning means, and
> whether it is something to be worried about.

I am wondering if you have a badly ported patch. Is the AXFR server of
an NSD flavour, or more specifically, doesn't sign every DNS message in
a TCP continuation (a sequence of DNS messages used during AXFR and
IXFR)?

An AXFR can use multiple DNS messages for the transfer. The dig warning
above means that some of those messages could not be validated.

It may be due to a short-lived BIND bug. Check if the version of BIND
you're using has this change:

4647.   [bug]           Change 4643 broke verification of TSIG signed TCP
			message sequences where not all the messages contain
                        TSIG records.  These may be used in AXFR and IXFR
			responses. [RT #45509]

		Mukund


More information about the bind-users mailing list