[Pdns-users] TSIG signed notifications in 4.x

Christof Meerwald cmeerw at cmeerw.org
Mon Aug 29 14:36:17 UTC 2016


On Mon, 29 Aug 2016 17:22:38 +0300, Aki Tuomi wrote:
> On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote:
>> so the intention is to allow AXFRs from a set of static IPs and
>> additionally from any IP with a valid TSIG signature.
[...]
> What is the point of using TSIG for AXFR if your slave hasn't got the key
> in the first place?

I tried to explain that in the first sentence, i.e. not using TSIG for
AXFRs from slaves, but allowing additional clients (without static IP
addresses) to do an AXFR via a TSIG key.

Also, not all third-party secondary DNS servers might allow
configuration of TSIG keys for AXFRs, but configuring a TSIG key in
TSIG-ALLOW-AXFR on the master will result in those secondary DNS
servers ignoring any notifications sent by the master (as they don't
have the TSIG key they are required to ignore the notification
according to the spec).


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org


More information about the Pdns-users mailing list