14.6. TSIG ErrorsAs we said in Chapter 11, "Security", transaction signatures require time synchronization and key synchronization (the same key on either end of the transaction, plus the same key name) to work. Here are a couple of errors that may arise if you lose time synchronization or use different keys or key names.
First, here's an error you'd see on a BIND 8 name server if you had configured TSIG but had too much clock skew between your primary master name server and a slave:
Here, your name server tried to check the serial number of the movie.edu zone on terminator.movie.edu (18.104.22.168). The response from terminator.movie.edu didn't verify because wormhole.movie.edu's clock showed a time more than 10 minutes different from the time the response was signed. The Err/TO message is just a byproduct of the failure of the TSIG-signed response to verify.Sep 27 10:47:49 wormhole named: Err/TO getting serial# for "movie.edu" Sep 27 10:47:49 wormhole named-xfer: SOA TSIG verification from server [22.214.171.124], zone movie.edu: message had BADTIME set (18)
If you use a different key name on either end of the transaction, even if the data the key name refers to is the same, you'll see an error like this one from your BIND 8 name server:
This time, the TSIG-signed response didn't check out because the verifier couldn't find a key with the name specified in the TSIG record. You'd see the same error if the key name matched but pointed to different data.Sep 27 12:02:44 wormhole named-xfer: SOA TSIG verification from server [126.96.36.199], zone movie.edu: BADKEY(-17)
As always, BIND 9 is considerably more closed-mouthed about TSIG failure, reporting only:
at debug level 3 for both of the previous scenarios.Sep 27 13:35:42.804 client 188.8.131.52#1115: query: movie.edu SOA Sep 27 13:35:42.804 client 184.108.40.206#1115: error
Copyright © 2002 O'Reilly & Associates. All rights reserved.