Bugzilla – Bug 483
Error message in case of time offset between master and slave
Last modified: 2012-12-10 15:09:47 CET
My master and slave server use TSIG for XFR transfers. TSIG is configured to use the hmac-md5 algorithm.
If there is a (larger, 15 minutes in my case) time offset between the master and the slave, this fails with the following messages:
At the master server:
 nsd: error: query tsig unknown key/algorithm
At the slave server:
 nsd: error: xfrd: zone macfreek.nl received error code REFUSED from 18.104.22.168@53
(Credits should go to Thijs Lensselink for documenting this issue at http://lenss.nl/2010/11/nsd-unknown-keyalgorithm/ and help me track this down.)
I found this error message somewhat confusing, and wonder if it can be improved, as to give a better indication why this error occurred. There is clearly an error with the algorithm, but it is not unknown. The REFUSED code was also not very helpful (My first thought was a change in IP address), but I suspect that's harder to improve.
On a related note, if logs are made to a file instead of syslog, I prefer a ISO 8601-formatted timestamp in the logs, instead of a UNIX-Epoch.
(Obviously, there shouldn't be such a large time difference, but somehow NTP wasn't working in my case, and NSD was the first to fail)
Thanks for your report. I have committed a change in our repository (NSD3 branch and trunk) that prints a better error message. Also, I encountered in RFC 2845, NSD should not return REFUSED, but NOTAUTH.
The slave server will now log something like:
 nsd: error: xfrd: zone macfreek.nl received error code
SERVER NOT AUTHORITATIVE FOR ZONE from 22.214.171.124@53
 nsd: error: xfrd: zone macfreek.nl, from 126.96.36.199@53: tsig error (Bad Time)"
The master server will log something like:
 nsd: error: query: bad tsig (Bad Time)
Hope this is more clear.
Awesome, thanks a lot!