[Pdns-users] How to configure TSIG with BIND backend
Fox, Michael E.
michael.fox at tamu.edu
Sat Nov 13 19:00:36 UTC 2021
Howdy,
I'm new to PowerDNS. I'm using the authoritative server with the BIND backend for some testing. (Don't need power or complexity of a DB backend).
Fake IPs:
11.11.11.11 master
22.22.22.22 slave
I've got a master and slave configured with three zones and doing zone transfers. Initially, I didn't have TSIGs and have the following configured in pdns.conf on the master:
allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22
Now I'd like to configure TSIG. But the instructions here seem to be related to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
I'd like to stick to the BIND backend. But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.
Here's what I did:
On the master:
key "keyname" {
algorithm hmac-sha256;
secret "...";
};
zone "zonename" {
file ...;
type master;
allow-transfer { 22.22.22.22 key "keyname"; };
};
On the slave:
key "keyname" {
algorithm hmac-sha256;
secret "...";
};
zone "zonename" {
file ...;
type slave;
masters { 11.11.11.11 key "keyname"; }; <-- I get a syntax error on this, even though it works in regular BIND.
};
So, I changed the slave to:
server 11.11.11.11 {
keys { "keyname"; };
};
zone "zonename" {
file ...;
type slave;
masters { 11.11.11.11 }; <-- no more syntax error.
};
And, in pdns.conf, I set "allow-axfr-ips" back to the default:
allow-axfr-ips=127.0.0.0/8,::1
But when I restart the slave, I get the following error:
Unable to AXFR zone 'zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)
Any help would be greatly appreciated!
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211113/291ca96e/attachment.htm>
More information about the Pdns-users
mailing list