[Pdns-users] Clarification on which TSIG key signs notifications
matt at monaco.cx
Wed Apr 1 22:04:03 UTC 2020
Thanks. I'll show myself out. I read this just after hitting send:
I probably don't need TSIG anyway since this is all happening over
wireguard links with address in the fd00:: address space.
On Wed, Apr 1, 2020 at 3:57 PM Klaus Darilion <klaus.darilion at nic.at> wrote:
> There is an issue on github about this. You are correct, pdns just uses
> the first tsig key returned by the backend. The workaround was a config
> option to disable signed notifications.
> Gesendet über BlackBerry Work (www.blackberry.com)
> *Von: *Matthew Monaco via Pdns-users <pdns-users at mailman.powerdns.com>
> *Gesendet: *01.04.2020 23:53
> *An: *pdns-users at mailman.powerdns.com
> *Betreff: *[Pdns-users] Clarification on which TSIG key signs
> Relevant doc:
> After reading this, and trial and error, I'm not sure how I can control
> the TSIG key that the master uses to sign notifications.
> I have 1 master and 2 slaves and a tsig key named after each. I am trying
> to configure things such that the master allows AXFRs to each of the slave
> TSIGs but uses it's own named TSIG for signing notifications. On the slaves
> then, I'm trying to configure things such that notifications are allowed by
> the master TSIG and AXFR requests are signed by their own named TSIG key.
> It seems to me like the master is just using the first TSIG-ALLOW-AXFR key
> to sign notifications.
> Is there any value to this setup? I wanted to be able to rotate the
> slaves' keys separately. However, the only thing that I can get to work is
> my historical setup of a single shared TSIG key for all master/slave
> notifications and zone transfers.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users