[Pdns-users] How to configure TSIG with BIND backend

Fox, Michael E. michael.fox at tamu.edu
Mon Nov 15 13:39:33 UTC 2021

You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for configuring TSIG when using the BIND backend?


From: frank+pdns at tembo.be <frank+pdns at tembo.be>
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. <michael.fox at tamu.edu>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Can you provide full (unedited) config files please? A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ for more information. ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.

Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information.


On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:


I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs: master slave

I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:


Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:

I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;

zone “zonename” {
    file …;
    type master;
    allow-transfer { key “keyname”; };

On the slave:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;

zone “zonename” {
    file …;
    type slave;
    masters { key “keyname”; };   <-- I get a syntax error on this, even though it works in regular BIND.

So, I changed the slave to:

server {
    keys { “keyname”; };

zone “zonename” {
    file …;
    type slave;
    masters { };  <-- no more syntax error.

And, in pdns.conf, I set “allow-axfr-ips” back to the default:


But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!


Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211115/6f760b2f/attachment-0001.htm>

More information about the Pdns-users mailing list