I was testing TSIG with a well known key against TLD servers and got the following response. Once you get past the bad class field (reported to the operator) there were a number of other items:
* the tsig name does not match the request. * the algorithm doesn’t match the algorithm in the request. * time signed is not set. * the fudge value is zero. Should these match the request / be set for BADKEY? Mark % dig alstom. @195.253.64.11 soa -y xxxx:AAAA 14-Sep-2018 08:41:34.347 the key 'xxxx' is too short to be secure ;; Warning: Message parser reports malformed message packet. ;; Couldn't verify signature: not implemented ; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> alstom. @195.253.64.11 soa -y xxxx:AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 56054 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;alstom. IN SOA ;; TSIG PSEUDOSECTION: . 0 IN TSIG \# 17 0000000000000000000000DAF600110000 ;; Query time: 566 msec ;; SERVER: 195.253.64.11#53(195.253.64.11) ;; WHEN: Fri Sep 14 08:41:34 AEST 2018 ;; MSG SIZE rcvd: 63 ;; WARNING -- Some TSIG could not be validated % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
