dig warns that some TSIG could not be validated

Mukund Sivaraman muks at isc.org
Fri Apr 6 12:21:32 UTC 2018

On Fri, Apr 06, 2018 at 02:05:39PM +0200, Anand Buddhdev wrote:
> On 06/04/2018 12:38, Tony Finch wrote:
> Hi Tony,
> > There is a weird bit in the TSIG spec, RFC 2845:
> > 
> >    4.4. TSIG on TCP connection
> > 
> >    A DNS TCP session can include multiple DNS envelopes.  This is, for
> >    example, commonly used by zone transfer.  Using TSIG on such a
> >    connection can protect the connection from hijacking and provide data
> >    integrity.  The TSIG MUST be included on the first and last DNS
> >    envelopes.  It can be optionally placed on any intermediary
> >    envelopes.  It is expensive to include it on every envelopes, but it
> >    MUST be placed on at least every 100'th envelope.
> > 
> > I haven't looked at BIND's handling of TSIG for AXFR in detail, so I
> > don't know how it handles this case, but it is the kind of tricky area
> > where interop bugs lurk. I haven't looked at Secure64 at all so who knows
> > what it does :-)
> I think this is exactly it. Secure64's signer is based on NSD, and it
> doesn't sign every message in a TCP AXFR.

That is valid and BIND (dig included) doesn't warn about it.

The fact that you're seeing a warning from dig means that something is
BAD.  It should be investigated. It basically means that signature
verification for a sequence of messages failed.

Please check if your BIND has change 4643 which, when fixing a TSIG
vulnerability, introduced a short-lived bug that was fixed by change


More information about the bind-users mailing list