[Pdns-users] TSIG with bind backend

Frédéric Benoit frederic.benoit at greencom-networks.com
Mon Aug 24 12:43:28 UTC 2020 

HI, i am studying migrating my old bind to powerdns
i am currently making tests with a bind backend (because migration is easy)

everything that i use works well except TSIG. I indeed need some machines on my network to update dns record.

is the TSIG feature supported with only the bind backend?
if yes, what's wrong in my config?

i have the following config:

4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
root at strongswan-lab:~# dpkg -l | grep pdns
ii  pdns-backend-bind                    4.4.0~alpha0+master.700.g573dc48f2-1pdns.stretch amd64        BIND backend for PowerDNS
ii  pdns-server                          4.4.0~alpha0+master.700.g573dc48f2-1pdns.stretch amd64        extremely powerful and versatile nameserver


subset of /etc/powerdns/pdns.conf:
allow-notify-from=10.0.0.0/8,0.0.0.0/0,::/0
allow-unsigned-notify=yes
include-dir=/etc/powerdns/pdns.d
local-port=5300
setgid=pdns
setuid=pdns
webserver-address=10.46.0.37
webserver-allow-from=10.46.0.0/16,192.168.0.0/16,172.0.0.0/8

and only a file /etc/powerdns/pdns.d/bind.conf in /etc/powerdns/pdns.d
launch=bind
bind-config=/usr/local/bind-for-powerdns/etc/named.conf
bind-supermaster-config=/var/lib/powerdns/supermaster.conf
bind-supermaster-destdir=/var/lib/powerdns/zones.slave.d

/var/lib/powerdns/supermaster.conf is an empty file and
/var/lib/powerdns/zones.slave.d is an empty dir

revelant info in is:
key "rndc-key" {
      algorithm hmac-md5;
      secret "base64secret";
};

zone "gcn.systems" {
      type master;
      file "/usr/local/bind-for-powerdns/var/cache/bind/db.gcn.systems";
      allow-update { key rndc-key; };
      allow-transfer { key rndc-key; };
};

root at strongswan-lab:~# cat /usr/local/bind-for-powerdns/var/cache/bind/db.gcn.systems
$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
gcn.systems IN SOA cortex.gcn-lab.fr. root.gcn.systems. (
440431     ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
38400      ; minimum (10 hours 40 minutes)
)
NS cortex.gcn-lab.fr.
$TTL 10800 ; 3 hours
A 217.70.184.38
MX 10 spool.mail.gandi.net.
MX 50 fb.mail.gandi.net.
$ORIGIN gcn.systems.
$TTL 300 ; 5 minutes
cassandra-0-azure-terraformtesting-aks A <ip_masked>
chef-azure-terraformtesting-aks A <ip_masked>
haproxy-0-azure-terraformtesting-aks A <ip_masked>
haproxy-1-azure-terraformtesting-aks A <ip_masked>
influxdb-azure-terraformtesting-aks A <ip_masked>
kafka-0-azure-terraformtesting-aks A <ip_masked>
vpngw-azure-terraformtesting-aks A <ip_masked>

Note: cortex.gcn-lab.fr is the actual bind nameserver i took zone file from

Thanks for helping


best regards

BENOIT Frederic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200824/fb1e031d/attachment.htm>

More information about the Pdns-users mailing list