dig warns that some TSIG could not be validated
Tony Finch
dot at dotat.at
Fri Apr 6 10:38:53 UTC 2018
Anand Buddhdev <anandb at ripe.net> wrote:
> ;; WARNING -- Some TSIG could not be validated
>
> While I've seen TSIG failures caused by key mismatch, or mismatched time
> between servers, I've never seen a warning like this before, about TSIG
> validation, and I don't know what it means.
You should find some comments in the output like:
;; Couldn't verify signature: ...
which might explain a bit more.
There is a weird bit in the TSIG spec, RFC 2845:
4.4. TSIG on TCP connection
A DNS TCP session can include multiple DNS envelopes. This is, for
example, commonly used by zone transfer. Using TSIG on such a
connection can protect the connection from hijacking and provide data
integrity. The TSIG MUST be included on the first and last DNS
envelopes. It can be optionally placed on any intermediary
envelopes. It is expensive to include it on every envelopes, but it
MUST be placed on at least every 100'th envelope.
I haven't looked at BIND's handling of TSIG for AXFR in detail, so I
don't know how it handles this case, but it is the kind of tricky area
where interop bugs lurk. I haven't looked at Secure64 at all so who knows
what it does :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Shannon: Cyclonic 7 to severe gale 9, becoming variable 3 or 4. Very rough or
high, becoming rough. Showers. Moderate or poor, occasionally good later.
More information about the bind-users
mailing list