[Pdns-users] Clarification on which TSIG key signs notifications

Matthew Monaco matt at monaco.cx
Wed Apr 1 21:52:58 UTC 2020

Relevant doc:


After reading this, and trial and error, I'm not sure how I can control the
TSIG key that the master uses to sign notifications.

I have 1 master and 2 slaves and a tsig key named after each. I am trying
to configure things such that the master allows AXFRs to each of the slave
TSIGs but uses it's own named TSIG for signing notifications. On the slaves
then, I'm trying to configure things such that notifications are allowed by
the master TSIG and AXFR requests are signed by their own named TSIG key.

It seems to me like the master is just using the first TSIG-ALLOW-AXFR key
to sign notifications.

Is there any value to this setup? I wanted to be able to rotate the slaves'
keys separately. However, the only thing that I can get to work is my
historical setup of a single shared TSIG key for all master/slave
notifications and zone transfers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200401/bdef4a9a/attachment.htm>

More information about the Pdns-users mailing list