[Pdns-users] dns update across dnsdist

Remi Gacogne remi.gacogne at powerdns.com
Tue Feb 11 10:32:59 UTC 2020

Hi Marc,

On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote:
> Here is my config:
> [isc-dhcp] ----dns update---->[dnsdist--->pdns authoritative]
> the isc dhcp server(v4.4.2) send a dns update query with a tsig
> key(hmac-md5). (I see it with tcpdump/wireshark).
> When the authoritative get the request, it said : "UPDATE (9470) from
> for my-domain.com: TSIG key required, but packet does not
> contain key. Sending REFUSED"
> my dnsdist config is:
> |newServer({address='', pool='auth'})
> addAction(OpcodeRule(DNSOpcode.Update), PoolAction("auth") ) |
> my authoritative config:
> |allow-dnsupdate-from= dnsupdate=yes |
> I miss something  ?

Would you mind sharing the exact versions of dnsdist and PowerDNS
authoritative server you are using?

Did you try capturing the packet leaving dnsdist toward the
authoritative server to confirm that the TSIG key is still there? Your
configuration does not require the addition of EDNS Client Subnet so
dnsdist shouldn't be altering the packet at all, but it would be nice to
know what the authoritative server actually receives.

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200211/b4e09971/attachment.sig>

More information about the Pdns-users mailing list