hi, At least with a recent version if it is a time sync issue nsd will do a specific log msg that.
Laura, can you send over the actual configuration? (maybe replacing the key with a placeholder or rotating the keys afterwards) It sounds strange if nsd checks tsig on the notify, but allow xfr without it. Regards, Tamás May 16, 2024 16:14:59 Anand Buddhdev via nsd-users <nsd-users@lists.nlnetlabs.nl>: > Hi Laura, > > TSIG failures can occur if the time on the client and server differs by more > than 5 minutes. Perhaps the time on one of the systems (likely the primary) > is wrong by more than 5 minutes. > > Regards, > Anand > > On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users > <nsd-users@lists.nlnetlabs.nl> wrote: >> Could someone kindly explain what "query: bad tsig signature for key" means >> and how to fix it ? >> >> >> I have quadruple checked (a) tsig key matches both sides (b) tsig algo >> matches both sides. >> >> >> Primary is PowerDNS 4.9.0 (from the PowerDNS repo) >> Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) >> >> >> The secondaries do not receive notifies from primary, instead posting the >> above error to logs. So they are currently relying on SOA pull refresh >> behaviour. >> >> >> Setting "verbosity:2" in nsd.conf has absolutely zero effect. It produces >> zero extra detail in logs. >> >> >> Thanks ! >> >> >> Laura >> >> _______________________________________________ >> nsd-users mailing list >> nsd-users@lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
