[Pdns-users] TSIG signed notifications in 4.x
cmouse at youzen.ext.b2.fi
Mon Aug 29 14:22:38 UTC 2016
On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote:
> so the intention is to allow AXFRs from a set of static IPs and
> additionally from any IP with a valid TSIG signature.
> This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR
> on the master for the domains affected (and no TSIG setting on the
> slave as the slave would have a static IP anyway).
> No with 4.x the behaviour seems to have changed and any notifications
> from the master are now also signed with that TSIG key (as specified
> in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem
> is that the slave now ignores those notifications as the slave doesn't
> necessarily have the TSIG key.
> The description in the documentation seems to be a bit vague, but kind
> of suggests that AXFR-MASTER-TSIG should be used for notification
> instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR
> under "Provisioning signed notification and AXFR requests".
> Any comments? At least the behaviour seems to be undesirable for my
What is the point of using TSIG for AXFR if your slave hasn't got the key
in the first place?
More information about the Pdns-users