[Pdns-users] TSIG signed notifications in 4.x

Aki Tuomi cmouse at youzen.ext.b2.fi
Mon Aug 29 19:24:19 UTC 2016

On Mon, Aug 29, 2016 at 04:36:17PM +0200, Christof Meerwald wrote:
> On Mon, 29 Aug 2016 17:22:38 +0300, Aki Tuomi wrote:
> > On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote:
> >> so the intention is to allow AXFRs from a set of static IPs and
> >> additionally from any IP with a valid TSIG signature.
> [...]
> > What is the point of using TSIG for AXFR if your slave hasn't got the key
> > in the first place?
> I tried to explain that in the first sentence, i.e. not using TSIG for
> AXFRs from slaves, but allowing additional clients (without static IP
> addresses) to do an AXFR via a TSIG key.
> Also, not all third-party secondary DNS servers might allow
> configuration of TSIG keys for AXFRs, but configuring a TSIG key in
> TSIG-ALLOW-AXFR on the master will result in those secondary DNS
> servers ignoring any notifications sent by the master (as they don't
> have the TSIG key they are required to ignore the notification
> according to the spec).
> Christof

I see. It seems there should be some way to disable notification signatures.
Perhaps you could open an issue at https://github.com/PowerDNS/pdns/issues?


More information about the Pdns-users mailing list