Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Tony Finch
Anand Buddhdev wrote: > > The version of BIND shipping in RedHat is old, and doesn't have this change. This is why I don't feel guilty for making sarcastic comments about Red Hat's BIND packages :-) Tony. -- f.anthony.n.finch http://dotat.at/ women and men

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Mukund Sivaraman
On Fri, Apr 06, 2018 at 02:05:39PM +0200, Anand Buddhdev wrote: > On 06/04/2018 12:38, Tony Finch wrote: > > Hi Tony, > > > There is a weird bit in the TSIG spec, RFC 2845: > > > >4.4. TSIG on TCP connection > > > >A DNS TCP session can include multiple DNS envelopes. This is, for > >

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
On 06/04/2018 12:38, Tony Finch wrote: Hi Tony, > There is a weird bit in the TSIG spec, RFC 2845: > >4.4. TSIG on TCP connection > >A DNS TCP session can include multiple DNS envelopes. This is, for >example, commonly used by zone transfer. Using TSIG on such a >connection

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
On 06/04/2018 13:42, Mukund Sivaraman wrote: Hi Mukund, > I am wondering if you have a badly ported patch. Is the AXFR server of > an NSD flavour, or more specifically, doesn't sign every DNS message in > a TCP continuation (a sequence of DNS messages used during AXFR and > IXFR)? Yes, the

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Mukund Sivaraman
Hi Anand On Fri, Apr 06, 2018 at 12:21:49PM +0200, Anand Buddhdev wrote: > Hello folks, > > I'm on CentOS 7, which has an older version of dig from this package: > > # rpm -qf /usr/bin/dig > bind-utils-9.9.4-51.el7_4.2.x86_64 > > When I use this dig to AXFR a zone from a Secure64 DNSSEC signer

Re: dig warns that some TSIG could not be validated

2018-04-06 Thread Tony Finch
Anand Buddhdev wrote: > ;; WARNING -- Some TSIG could not be validated > > While I've seen TSIG failures caused by key mismatch, or mismatched time > between servers, I've never seen a warning like this before, about TSIG > validation, and I don't know what it means. You should

dig warns that some TSIG could not be validated

2018-04-06 Thread Anand Buddhdev
Hello folks, I'm on CentOS 7, which has an older version of dig from this package: # rpm -qf /usr/bin/dig bind-utils-9.9.4-51.el7_4.2.x86_64 When I use this dig to AXFR a zone from a Secure64 DNSSEC signer appliance, I'm seeing this at the end of the AXFR: ;; Query time: 32899 msec ;; SERVER: