It wasn't time sync. In the end I discovered that there is apparently such a thing as a minimum tsig key length ?
My original key was generated using "openssl rand -base64 32". I generated a new key with pdnsutil from PowerDNS instead (pdnsutil generate-tsig-key mykey hmac-sha256) and everything started working. The output from pdnsutil was longer, I didn't check the size, but it was visibly longer than the openssl output. On Friday, 17 May 2024 at 07:34, cstamas+nsd--- via nsd-users <nsd-users@lists.nlnetlabs.nl> wrote: > hi, > > At least with a recent version if it is a time sync issue nsd will do a > specific log msg that. > > Laura, > can you send over the actual configuration? > (maybe replacing the key with a placeholder or rotating the keys afterwards) > > It sounds strange if nsd checks tsig on the notify, but allow xfr without it. > > Regards, > Tamás > > May 16, 2024 16:14:59 Anand Buddhdev via nsd-users > nsd-users@lists.nlnetlabs.nl: > > > Hi Laura, > > > > TSIG failures can occur if the time on the client and server differs by > > more than 5 minutes. Perhaps the time on one of the systems (likely the > > primary) is wrong by more than 5 minutes. > > > > Regards, > > Anand > > > > On Thu, 16 May 2024 at 10:41, n5d9xq3ti233xiyif2vp--- via nsd-users > > nsd-users@lists.nlnetlabs.nl wrote: > > > > > Could someone kindly explain what "query: bad tsig signature for key" > > > means and how to fix it ? > > > > > > I have quadruple checked (a) tsig key matches both sides (b) tsig algo > > > matches both sides. > > > > > > Primary is PowerDNS 4.9.0 (from the PowerDNS repo) > > > Secondaries are NSD 4.6.1 (from Debian Bookworm distro repo) > > > > > > The secondaries do not receive notifies from primary, instead posting the > > > above error to logs. So they are currently relying on SOA pull refresh > > > behaviour. > > > > > > Setting "verbosity:2" in nsd.conf has absolutely zero effect. It produces > > > zero extra detail in logs. > > > > > > Thanks ! > > > > > > Laura > > > > > > _______________________________________________ > > > nsd-users mailing list > > > nsd-users@lists.nlnetlabs.nl > > > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > > _______________________________________________ > nsd-users mailing list > nsd-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
