[Pdns-users] Clarification on which TSIG key signs notifications
Klaus Darilion
klaus.darilion at nic.at
Wed Apr 1 21:57:16 UTC 2020
There is an issue on github about this. You are correct, pdns just uses the first tsig key returned by the backend. The workaround was a config option to disable signed notifications.
Klaus
Gesendet über BlackBerry Work (www.blackberry.com)
________________________________
Von: Matthew Monaco via Pdns-users <pdns-users at mailman.powerdns.com>
Gesendet: 01.04.2020 23:53
An: pdns-users at mailman.powerdns.com
Betreff: [Pdns-users] Clarification on which TSIG key signs notifications
Relevant doc:
https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests
After reading this, and trial and error, I'm not sure how I can control the TSIG key that the master uses to sign notifications.
I have 1 master and 2 slaves and a tsig key named after each. I am trying to configure things such that the master allows AXFRs to each of the slave TSIGs but uses it's own named TSIG for signing notifications. On the slaves then, I'm trying to configure things such that notifications are allowed by the master TSIG and AXFR requests are signed by their own named TSIG key.
It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to sign notifications.
Is there any value to this setup? I wanted to be able to rotate the slaves' keys separately. However, the only thing that I can get to work is my historical setup of a single shared TSIG key for all master/slave notifications and zone transfers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200401/10175e19/attachment.htm>
More information about the Pdns-users
mailing list