XFRIN/TSIG fails from NSD (primary) server: TSIG verify fail: FORMERR

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Sat Sep 1 16:14:31 UTC 2012


At Sat, 01 Sep 2012 15:45:56 +0200,
"Christian 'wiwi' Wittenhorst" <wiwi at progon.net> wrote:

> [b10-xfrin.xfrin] XFRIN_XFR_TRANSFER_PROTOCOL_ERROR AXFR transfer of 
> zone as34288.net/IN with 81.94.123.20:53 failed: TSIG verify fail: FORMERR
> 
> Can someone lead me in right direction?

According to the source code, the only reason TSIG verify could result
in FORMERR is this:

    // This case happens when we sent a signed request and have received an
    // unsigned response.  According to RFC2845 Section 4.6 this case should be
    // considered a "format error" (although the specific error code
    // wouldn't matter much for the caller).
    if (record == NULL) {
        return (impl_->postVerifyUpdate(TSIGError::FORMERR(), NULL, 0));
    }

that is, at least from BIND 10's perspective, b10-xfrin sent AXFR
request with TSIG but it received from a response without any TSIG
record.

If it's an experimental setup, I'd first try to remove the TSIG
configuration and see if it works.  I'd also check whether there's any
TSIG related error logged at the primary (NSD) side.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.


More information about the bind10-users mailing list