Introduction
TSIG error with server TSIG verify failure means the DNS server received a signed update or transfer request, but the signature check failed. In practice that usually means key name drift, wrong secret, wrong algorithm, or enough time skew that the server rejects the signature window.
Symptoms
- Dynamic DNS updates fail with TSIG verify errors
- Zone transfers between DNS servers stop working
nsupdateordigreports TSIG failure even though the server is reachable- The issue appears after key rotation or DNS server migration
Common Causes
- The client and server use different TSIG secrets
- The key name or algorithm does not match on both sides
- The server config loads a different TSIG key than expected
- Time drift breaks the TSIG validity window
Step-by-Step Fix
- 1.Confirm the exact key name and algorithm
- 2.Check both sides for the same TSIG key name, including trailing dots and case sensitivity expectations.
bash
dig @dns-server example.com AXFR -y keyname:base64secret- 1.Compare the shared secret
- 2.A small copy or encoding difference is enough to break TSIG verification.
text
key "transfer-key" {
algorithm hmac-sha256;
secret "base64secret";
};- 1.Check server config loading
- 2.Ensure the DNS server actually loaded the TSIG key file you think it did.
bash
named-checkconf -z
journalctl -u named -n 100- 1.Verify clock alignment
- 2.If key and algorithm match, check time drift before digging deeper.
bash
timedatectl
chronyc trackingPrevention
- Store TSIG key material in one source of truth
- Rotate TSIG keys with explicit two-sided validation
- Keep DNS peer clocks synchronized
- Test signed updates and transfers immediately after DNS config changes