---
title: "My server is rejecting TSIG authentication"
slug: "aa-00310"
description: "Sometimes TSIG authentication errors in BIND can be caused by clock skew."
updated: 2021-05-25T20:35:28Z
published: 2021-05-25T20:35:28Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# I'm trying to use TSIG to authenticate dynamic updates or zone transfers but the server is rejecting the TSIG - why?

If you are sure that the keys are configured correctly then this may be a clock skew problem. Check that the the clocks on the client and server are properly synchronized (e.g., using NTP).

Check your logs for errors. If you are running a recent version of BIND, you may see error messages similar to these (reported by the secondary zone server) below:

```
25-Jan-2013 13:09:08.048 zone 7.168.192.in-addr.arpa/IN/trusted:
refresh: failure trying master 192.168.7.27#53 (source 0.0.0.0#0):
clocks are unsynchronized
25-Jan-2013 13:09:23.053 zone myzone.example/IN/trusted: refresh:
failure trying master 192.168.7.27#53 (source 0.0.0.0#0): clocks are
unsynchronized
```