DNS 9 NOTAUTH vs 18 BADTIME
Both DNS 9 (NOTAUTH) and 18 (BADTIME) belong to the DNS Response Codes (RCODEs) category. 9 indicates that server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section. Meanwhile, 18 means that signature out of time window. The TSIG signature timestamp is outside the allowed clock skew, indicating a time synchronization issue.
설명
Server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section.
이 코드를 보게 되는 경우
You sent a dynamic update or zone operation to a server that is not the authoritative master for that zone, or the server rejected it due to TSIG authentication failure.
해결 방법
Send the update to the correct primary authoritative server for the zone. If using TSIG, verify the key name and secret match on both client and server.
설명
Signature out of time window. The TSIG signature timestamp is outside the allowed clock skew, indicating a time synchronization issue.
이 코드를 보게 되는 경우
The clocks on the DNS client and server are too far apart (usually more than 5 minutes), causing TSIG signature validation to fail.
해결 방법
Synchronize clocks on both machines using NTP. Check that the TSIG fudge value (allowed skew) is reasonable — the default 300 seconds is usually sufficient.
주요 차이점
DNS 9: Server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section.
DNS 18: Signature out of time window. The TSIG signature timestamp is outside the allowed clock skew, indicating a time synchronization issue.
You encounter 9 when you sent a dynamic update or zone operation to a server that is not the authoritative master for that zone, or the server rejected it due to TSIG authentication failure.
You encounter 18 when the clocks on the DNS client and server are too far apart (usually more than 5 minutes), causing TSIG signature validation to fail.
언제 어떤 것을 사용할지
For 9 (NOTAUTH): Send the update to the correct primary authoritative server for the zone. If using TSIG, verify the key name and secret match on both client and server. For 18 (BADTIME): Synchronize clocks on both machines using NTP. Check that the TSIG fudge value (allowed skew) is reasonable — the default 300 seconds is usually sufficient.