[Pdns-users] TSIG signed notifications in 4.x

Aki Tuomi cmouse at youzen.ext.b2.fi
Mon Aug 29 14:22:38 UTC 2016

On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote:
> Hi,
> so the intention is to allow AXFRs from a set of static IPs and
> additionally from any IP with a valid TSIG signature.
> This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR
> on the master for the domains affected (and no TSIG setting on the
> slave as the slave would have a static IP anyway).
> No with 4.x the behaviour seems to have changed and any notifications
> from the master are now also signed with that TSIG key (as specified
> in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem
> is that the slave now ignores those notifications as the slave doesn't
> necessarily have the TSIG key.
> The description in the documentation seems to be a bit vague, but kind
> of suggests that AXFR-MASTER-TSIG should be used for notification
> instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR
> under "Provisioning signed notification and AXFR requests".
> Any comments? At least the behaviour seems to be undesirable for my
> use-case.
> Christof

What is the point of using TSIG for AXFR if your slave hasn't got the key
in the first place?


More information about the Pdns-users mailing list