[Pdns-users] TSIG signed notifications in 4.x

Christof Meerwald cmeerw at cmeerw.org
Mon Aug 29 11:18:05 UTC 2016


so the intention is to allow AXFRs from a set of static IPs and
additionally from any IP with a valid TSIG signature.

This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR
on the master for the domains affected (and no TSIG setting on the
slave as the slave would have a static IP anyway).

No with 4.x the behaviour seems to have changed and any notifications
from the master are now also signed with that TSIG key (as specified
in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem
is that the slave now ignores those notifications as the slave doesn't
necessarily have the TSIG key.

The description in the documentation seems to be a bit vague, but kind
of suggests that AXFR-MASTER-TSIG should be used for notification
instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR
under "Provisioning signed notification and AXFR requests".

Any comments? At least the behaviour seems to be undesirable for my



http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org

More information about the Pdns-users mailing list