Hi Anand On Fri, Apr 06, 2018 at 12:21:49PM +0200, Anand Buddhdev wrote: > Hello folks, > > I'm on CentOS 7, which has an older version of dig from this package: > > # rpm -qf /usr/bin/dig > bind-utils-9.9.4-51.el7_4.2.x86_64 > > When I use this dig to AXFR a zone from a Secure64 DNSSEC signer > appliance, I'm seeing this at the end of the AXFR: > > ;; Query time: 32899 msec > ;; SERVER: 193.0.7.194#53(193.0.7.194) > ;; WHEN: Fri Apr 06 09:36:38 UTC 2018 > ;; XFR size: 73829 records (messages 295, bytes 4801484) > ;; WARNING -- Some TSIG could not be validated > > While I've seen TSIG failures caused by key mismatch, or mismatched time > between servers, I've never seen a warning like this before, about TSIG > validation, and I don't know what it means. > > I can't see anything strange with the AXFR. I would appreciate it if one > of the BIND developers could explain what this warning means, and > whether it is something to be worried about.
I am wondering if you have a badly ported patch. Is the AXFR server of an NSD flavour, or more specifically, doesn't sign every DNS message in a TCP continuation (a sequence of DNS messages used during AXFR and IXFR)? An AXFR can use multiple DNS messages for the transfer. The dig warning above means that some of those messages could not be validated. It may be due to a short-lived BIND bug. Check if the version of BIND you're using has this change: 4647. [bug] Change 4643 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509] Mukund _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users