[Pdns-users] How to configure TSIG with BIND backend

Fox, Michael E. michael.fox at tamu.edu
Mon Nov 15 13:39:33 UTC 2021 

You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for configuring TSIG when using the BIND backend?

Michael

From: frank+pdns at tembo.be <frank+pdns at tembo.be>
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. <michael.fox at tamu.edu>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Can you provide full (unedited) config files please? A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ for more information. ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information.

Frank




On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:

Howdy,

I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs:
      11.11.11.11 master
      22.22.22.22 slave

I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>

I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type master;
    allow-transfer { 22.22.22.22 key “keyname”; };
};

On the slave:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 key “keyname”; };   <-- I get a syntax error on this, even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
    keys { “keyname”; };
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set “allow-axfr-ips” back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!

Michael

_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users<https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211115/6f760b2f/attachment-0001.htm>

More information about the Pdns-users mailing list