[Pdns-users] How to configure TSIG with BIND backend

frank+pdns at tembo.be frank+pdns at tembo.be
Mon Nov 15 11:26:37 UTC 2021 

Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ <https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/> for more information.

Frank



> On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
> 
> Howdy,
>  
> I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).
>  
> Fake IPs:
>       11.11.11.11 master
>       22.22.22.22 slave
>  
> I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:
>  
> allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22
>  
> Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr <https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr>
>  
> I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.
>  
> Here’s what I did:
>  
> On the master:
>  
> key “keyname” {
>     algorithm hmac-sha256;
>     secret “…”;
> };
>  
> zone “zonename” {
>     file …;
>     type master;
>     allow-transfer { 22.22.22.22 key “keyname”; };
> };
>  
> On the slave:
>  
> key “keyname” {
>     algorithm hmac-sha256;
>     secret “…”;
> };
>  
> zone “zonename” {
>     file …;
>     type slave;
>     masters { 11.11.11.11 key “keyname”; };   ß I get a syntax error on this, even though it works in regular BIND.
> };
>  
> So, I changed the slave to:
>  
> server 11.11.11.11 {
>     keys { “keyname”; };
> };
>  
> zone “zonename” {
>     file …;
>     type slave;
>     masters { 11.11.11.11 };  ß no more syntax error.
> };
>  
> And, in pdns.conf, I set “allow-axfr-ips” back to the default:
>  
> allow-axfr-ips=127.0.0.0/8,::1
>  
> But when I restart the slave, I get the following error: 
>  
> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)
>  
> Any help would be greatly appreciated!
>  
> Michael
>  
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211115/d4399f98/attachment.htm>

More information about the Pdns-users mailing list