dig warns that some TSIG could not be validated

Anand Buddhdev anandb at ripe.net
Fri Apr 6 12:03:24 UTC 2018

On 06/04/2018 13:42, Mukund Sivaraman wrote:

Hi Mukund,

> I am wondering if you have a badly ported patch. Is the AXFR server of
> an NSD flavour, or more specifically, doesn't sign every DNS message in
> a TCP continuation (a sequence of DNS messages used during AXFR and
> IXFR)?

Yes, the Secure64 DNSSEC signer appliance is NSD with their custom
signing code. So the AXFR is provided by NSD and it doesn't sign every

> An AXFR can use multiple DNS messages for the transfer. The dig warning
> above means that some of those messages could not be validated.

Got it.

> It may be due to a short-lived BIND bug. Check if the version of BIND
> you're using has this change:
> 4647.   [bug]           Change 4643 broke verification of TSIG signed TCP
> 			message sequences where not all the messages contain
>                         TSIG records.  These may be used in AXFR and IXFR
> 			responses. [RT #45509]

The version of BIND shipping in RedHat is old, and doesn't have this change.

But this isn't a problem because the production servers we are running
are all on the latest BIND 9.11 release. It's just the version of "dig"
that is this old.

So I'm now satisfied that it's not an operational problem to worry
about. Phew :) Thank you for providing this detailed answer.


More information about the bind-users mailing list