[Pdns-users] TSIG updates fail with NOAUTH error

Kenneth Marshall ktm at rice.edu
Wed Sep 14 16:30:21 UTC 2016

On Wed, Sep 14, 2016 at 06:23:30PM +0300, Aki Tuomi wrote:
> On Wed, Sep 14, 2016 at 09:52:30AM -0500, Kenneth Marshall wrote:
> > Hi,
> > 
> > I am trying to get TSIG updates to work to a pdns-3.4.9 slave and
> > they fail with a NOAUTH error. It looks like even though the key
> > is correct and allowed in the domainmetadata that because it is
> > designated a 'SLAVE' in the domains table the update is failing.
> > 
> > In order to manage services interruptions (DR for example), we
> > need to be able to update the slaves if the master(s) are
> > unavailable. Is there a configuration option that controls this
> > behavior? I need to avoid having to require direct DB access to
> > allow this to work, i.e. by changing the domains type from 'SLAVE'
> > to 'MASTER'. Any assistance would be appreciated.
> > 
> > Regards,
> > Ken
> Unfortunately you need to do DNSUPDATEs for the master, otherwise they
> are not replicated correctly, as slave cannot update master.
> Alternative is to use native replication, such as mysql multi-master mode
> or similar solution where you can do updates from multiple sources.
> Aki

Hi Aki,

This is to handle emergency updates where the normal master<->slave
transfers are unavailable and critical DNS records need to be updated
on the slave(s) in the absence of the master. It seems like if you
can support forwarding the TSIG updates to the existing master, you
could also just fall through to a local update if for example the
domainmetadata for the domain 'FORWARD-DNSUPDATE' was set to 'local'.
This would allow critical zone updates to take place in an emergency
with the existing infrastructure. What do you think about that workflow?


More information about the Pdns-users mailing list