[Pdns-users] TSIG signed notifications in 4.x
Christof Meerwald
cmeerw at cmeerw.org
Mon Aug 29 11:18:05 UTC 2016
Hi,
so the intention is to allow AXFRs from a set of static IPs and
additionally from any IP with a valid TSIG signature.
This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR
on the master for the domains affected (and no TSIG setting on the
slave as the slave would have a static IP anyway).
No with 4.x the behaviour seems to have changed and any notifications
from the master are now also signed with that TSIG key (as specified
in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem
is that the slave now ignores those notifications as the slave doesn't
necessarily have the TSIG key.
The description in the documentation seems to be a bit vague, but kind
of suggests that AXFR-MASTER-TSIG should be used for notification
instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR
under "Provisioning signed notification and AXFR requests".
Any comments? At least the behaviour seems to be undesirable for my
use-case.
Christof
--
http://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org
More information about the Pdns-users
mailing list