[Pdns-users] Clarification on which TSIG key signs notifications

Klaus Darilion klaus.darilion at nic.at
Wed Apr 1 21:57:16 UTC 2020

There is an issue on github about this. You are correct, pdns just uses the first tsig key returned by the backend. The workaround was a config option to disable signed notifications.


Gesendet über BlackBerry Work (www.blackberry.com)
Von: Matthew Monaco via Pdns-users <pdns-users at mailman.powerdns.com>
Gesendet: 01.04.2020 23:53
An: pdns-users at mailman.powerdns.com
Betreff: [Pdns-users] Clarification on which TSIG key signs notifications

Relevant doc:

After reading this, and trial and error, I'm not sure how I can control the TSIG key that the master uses to sign notifications.

I have 1 master and 2 slaves and a tsig key named after each. I am trying to configure things such that the master allows AXFRs to each of the slave TSIGs but uses it's own named TSIG for signing notifications. On the slaves then, I'm trying to configure things such that notifications are allowed by the master TSIG and AXFR requests are signed by their own named TSIG key.

It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to sign notifications.

Is there any value to this setup? I wanted to be able to rotate the slaves' keys separately. However, the only thing that I can get to work is my historical setup of a single shared TSIG key for all master/slave notifications and zone transfers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200401/10175e19/attachment.htm>

More information about the Pdns-users mailing list