<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Thanks. I'll show myself out. I read this just after hitting send: <a href="https://doc.powerdns.com/authoritative/settings.html#send-signed-notify" style="font-family:Arial,Helvetica,sans-serif">https://doc.powerdns.com/authoritative/settings.html#send-signed-notify</a>.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">I probably don't need TSIG anyway since this is all happening over wireguard links with address in the fd00:: address space.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 1, 2020 at 3:57 PM Klaus Darilion <<a href="mailto:klaus.darilion@nic.at">klaus.darilion@nic.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div id="gmail-m_5381554036476018676gw-compose-body-div" style="font-family:Arial;font-size:12pt;color:rgb(0,0,0)">
<div>
<div>
<div>There is an issue on github about this. You are correct, pdns just uses the first tsig key returned by the backend. The workaround was a config option to disable signed notifications.</div>
<div><br>
</div>
<div>Klaus</div>
<div><br>
</div>
<div><br>
</div>
<div id="gmail-m_5381554036476018676gw-compose-signature-div" style="font-family:Arial;font-size:12pt;color:rgb(0,0,0)">
Gesendet über BlackBerry Work (<a href="http://www.blackberry.com" target="_blank">www.blackberry.com</a>)</div>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%">
<div><b>Von: </b>Matthew Monaco via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>><br>
<b>Gesendet: </b>01.04.2020 23:53<br>
<b>An: </b><a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a><br>
<b>Betreff: </b>[Pdns-users] Clarification on which TSIG key signs notifications<br>
<br type="attribution">
</div>
<div>
<div dir="ltr">
<div class="gmail_default" style="font-family:monospace,monospace">Relevant doc:</div>
<div class="gmail_default" style="font-family:monospace,monospace"> <a href="https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests" target="_blank">
https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests</a></div>
<div class="gmail_default" style="font-family:monospace,monospace"><br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">After reading this, and trial and error, I'm not sure how I can control the TSIG key that the master uses to sign notifications.</div>
<div class="gmail_default" style="font-family:monospace,monospace"><br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">I have 1 master and 2 slaves and a tsig key named after each. I am trying to configure things such that the master allows AXFRs to each of the slave TSIGs but uses it's own named TSIG for signing
notifications. On the slaves then, I'm trying to configure things such that notifications are allowed by the master TSIG and AXFR requests are signed by their own named TSIG key.</div>
<div class="gmail_default" style="font-family:monospace,monospace"><br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to sign notifications.</div>
<div class="gmail_default" style="font-family:monospace,monospace"><br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">Is there any value to this setup? I wanted to be able to rotate the slaves' keys separately. However, the only thing that I can get to work is my historical setup of a single shared TSIG key
for all master/slave notifications and zone transfers.</div>
</div>
</div>
</div>
</blockquote></div>