diff --git a/CHANGES b/CHANGES
index 10d3a5091b..93df041290 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+ 771.	[cleanup]	TSIG errors related to unsynchronized clocks
+			are logged better.
+
  770.	[func]		Add the "edns yes_or_no" statement to the server
 			clause. [RT #524]
 
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index c591773210..818ae6c2ad 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.79 2001/03/06 22:10:34 marka Exp $ */
+/* $Id: result.h,v 1.80 2001/03/07 20:53:31 bwelling Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
@@ -112,8 +112,9 @@
 #define DNS_R_HINTNXRRSET		(ISC_RESULTCLASS_DNS + 73)
 #define DNS_R_NOMASTERFILE		(ISC_RESULTCLASS_DNS + 74)
 #define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
+#define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
 
-#define DNS_R_NRESULTS			76	/* Number of results */
+#define DNS_R_NRESULTS			77	/* Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index 72065b655e..bbf225fed5 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.38 2001/02/13 03:57:06 bwelling Exp $ */
+/* $Id: tsig.h,v 1.39 2001/03/07 20:53:32 bwelling Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -185,6 +185,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
  *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
  *		DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
  *				     and this is a query
+ *		DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *				  the time was out of the allowed range.
  *		DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
  */
 
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 45f0f2ce4e..2dceeb6058 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.87 2001/03/06 22:10:31 marka Exp $ */
+/* $Id: result.c,v 1.88 2001/03/07 20:53:27 bwelling Exp $ */
 
 #include <config.h>
 
@@ -109,13 +109,15 @@ static const char *text[DNS_R_NRESULTS] = {
 	"not exact",		       	       /* 67 DNS_R_NOTEXACT	     */
 	"address blackholed",	       	       /* 68 DNS_R_BLACKHOLED	     */
 	"bad algorithm",		       /* 69 DNS_R_BADALG	     */
-	"invalid use of a meta type",	       /* 70 DNS_R_METATYPE	     */
 
+	"invalid use of a meta type",	       /* 70 DNS_R_METATYPE	     */
 	"CNAME and other data",		       /* 71 DNS_R_CNAMEANDOTHER     */
 	"multiple RRs of singleton type",      /* 72 DNS_R_SINGLETON	     */
 	"hint nxrrset",			       /* 73 DNS_R_HINTNXRRSET	     */
-	"no master file configured"	       /* 74 DNS_R_NOMASTERFILE	     */
-	"unknown protocol"		       /* 75 DNS_R_UNKNOWNPROTO	     */
+	"no master file configured",	       /* 74 DNS_R_NOMASTERFILE	     */
+
+	"unknown protocol",		       /* 75 DNS_R_UNKNOWNPROTO	     */
+	"clocks are unsynchronized"	       /* 76 DNS_R_CLOCKSKEW	     */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 815f782f67..9f1097d99c 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.106 2001/02/13 03:57:04 bwelling Exp $
+ * $Id: tsig.c,v 1.107 2001/03/07 20:53:28 bwelling Exp $
  */
 
 #include <config.h>
@@ -722,11 +722,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
 		msg->tsigstatus = dns_tsigerror_badtime;
 		tsig_log(msg->tsigkey, 2, "signature has expired");
-		return (DNS_R_TSIGVERIFYFAILURE);
+		return (DNS_R_CLOCKSKEW);
 	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
 		msg->tsigstatus = dns_tsigerror_badtime;
 		tsig_log(msg->tsigkey, 2, "signature is in the future");
-		return (DNS_R_TSIGVERIFYFAILURE);
+		return (DNS_R_CLOCKSKEW);
 	}
 
 	if (tsig.siglen > 0) {
@@ -855,8 +855,12 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->tsigstatus = dns_rcode_noerror;
 
-	if (tsig.error != dns_rcode_noerror)
-		return (DNS_R_TSIGERRORSET);
+	if (tsig.error != dns_rcode_noerror) {
+		if (tsig.error == dns_tsigerror_badtime)
+			return (DNS_R_CLOCKSKEW);
+		else
+			return (DNS_R_TSIGERRORSET);
+	}
 
 	msg->verified_sig = 1;
 
@@ -945,7 +949,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
 			msg->tsigstatus = dns_tsigerror_badtime;
 			tsig_log(msg->tsigkey, 2, "signature has expired");
-			ret = DNS_R_TSIGVERIFYFAILURE;
+			ret = DNS_R_CLOCKSKEW;
 			goto cleanup_querystruct;
 		} else if (now + msg->timeadjust <
 			   tsig.timesigned - tsig.fudge)
@@ -953,7 +957,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			msg->tsigstatus = dns_tsigerror_badtime;
 			tsig_log(msg->tsigkey, 2,
 				 "signature is in the future");
-			ret = DNS_R_TSIGVERIFYFAILURE;
+			ret = DNS_R_CLOCKSKEW;
 			goto cleanup_querystruct;
 		}
 	}
@@ -1049,9 +1053,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		sig_r.base = tsig.signature;
 		sig_r.length = tsig.siglen;
 		if (tsig.siglen == 0) {
-			if (tsig.error != dns_rcode_noerror)
-				ret = DNS_R_TSIGERRORSET;
-			else {
+			if (tsig.error != dns_rcode_noerror) {
+				if (tsig.error == dns_tsigerror_badtime)
+					ret = DNS_R_CLOCKSKEW;
+				else
+					ret = DNS_R_TSIGERRORSET;
+			} else {
 				tsig_log(msg->tsigkey, 2,
 					 "signature is empty");
 				ret = DNS_R_TSIGVERIFYFAILURE;