[Pdns-users] Regarding the warning about TSIG and AXFR requests

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Oct 31 15:20:24 UTC 2011

Hello Mohamed,

On Oct 21, 2011, at 10:31 , Mohamed Lrhazi wrote:

> Could some explain a bit more what the risks are, that this warning is
> referring  to:
> http://doc.powerdns.com/tsig-outbound-notify-axfr.html
> Warning
> PowerDNS for now only verifies the TSIG signature on the first AXFR
> 'message', which helps for access control, but does not provide 100.0%
> protection of subsequent AXFR zone content messages.
> Is this saying that one would not be protected from content
> modification/injection with this feature enabled?
> If so, what would be my options to secure slave/master communication,
> with pdns acting as slave?

I have checked the relevant code, and the answer is: yes, one would not be protected from content modification/injection. An attacker that can modify TCP-streams between master and slave can inject records.

Options to secure master/slave communication include:
- making sure the transfer happens over some kind of VPN (OpenSSH, IPSEC)
- using MySQL-replication (with SSL!) instead of AXFR

Kind regards,
Peter van Dijk

More information about the Pdns-users mailing list