Bug 483 - Error message in case of time offset between master and slave
Error message in case of time offset between master and slave
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
3.2.x
i386 Linux
: P5 minor
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-03 09:02 CET by Freek Dijkstra
Modified: 2012-12-10 15:09 CET (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Freek Dijkstra 2012-12-03 09:02:47 CET
My master and slave server use TSIG for XFR transfers. TSIG is configured to use the hmac-md5 algorithm.

If there is a (larger, 15 minutes in my case) time offset between the master and the slave, this fails with the following messages:

At the master server:
 [1354482883] nsd[24992]: error: query tsig unknown key/algorithm

At the slave server:
 [1354482239] nsd[23558]: error: xfrd: zone macfreek.nl received error code REFUSED from 145.99.1.69@53

(Credits should go to Thijs Lensselink for documenting this issue at http://lenss.nl/2010/11/nsd-unknown-keyalgorithm/ and help me track this down.)

I found this error message somewhat confusing, and wonder if it can be improved, as to give a better indication why this error occurred. There is clearly an error with the algorithm, but it is not unknown. The REFUSED code was also not very helpful (My first thought was a change in IP address), but I suspect that's harder to improve.

On a related note, if logs are made to a file instead of syslog, I prefer a ISO 8601-formatted timestamp in the logs, instead of a UNIX-Epoch.
Comment 1 Freek Dijkstra 2012-12-03 09:04:40 CET
(Obviously, there shouldn't be such a large time difference, but somehow NTP wasn't working in my case, and NSD was the first to fail)
Comment 2 Matthijs Mekking 2012-12-10 15:02:32 CET
Hi Freek,

Thanks for your report. I have committed a change in our repository (NSD3 branch and trunk) that prints a better error message. Also, I encountered in RFC 2845, NSD should not return REFUSED, but NOTAUTH. 

The slave server will now log something like:

[1354482239] nsd[23558]: error: xfrd: zone macfreek.nl received error code
SERVER NOT AUTHORITATIVE FOR ZONE from 145.99.1.69@53
[1354482239] nsd[23558]: error: xfrd: zone macfreek.nl, from 145.99.1.69@53: tsig error (Bad Time)"

The master server will log something like:

[1354482883] nsd[24992]: error: query: bad tsig (Bad Time)

Hope this is more clear.
Comment 3 Freek Dijkstra 2012-12-10 15:09:47 CET
Awesome, thanks a lot!