«tsig verify failure» only on some zones

[Mark Andrews]

First thing.  Ensure that the nameservers are properly ntp synced.
This should get rid of mosr timing issues.

Secondly, for the failing zone run tcpdump on both ends and compare
the TCP payload of the packets.  They should be byte for byte
identical.  If they differ then the NAT box is fiddling with the
contents.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org