[Pdns-users] How to configure TSIG with BIND backend

Fox, Michael E. michael.fox at tamu.edu
Tue Nov 16 20:20:34 UTC 2021


Frank,

Again, I’m not asking what is wrong with my config.
I’m asking for the proper syntax to configure TSIG between two PowerDNS systems (master/primary and slave/secondary), both with a BIND backend.

The existing documentation page seems to apply only (or mostly) to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
From what I can tell, the ‘pdnsutil’ commands are acting on the database.
And the example BIND config on that page only shows the slave side of the config (and it says it’s a slave to itself [master=127.0.0.1]).

An example config snipit, using example IPs and domain name, is what I’m looking for.
Specifically, what should go in named.conf and pdns.conf for the master and the slave?

Can someone help with that?

Thanks much.

Michael E Fox
Sr. Assoc. Director, ITEC
Texas A&M University
979-862-4036 (Office)
michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+pdns at tembo.be <frank+pdns at tembo.be>
Sent: Monday, November 15, 2021 8:25 AM
To: Fox, Michael E. <michael.fox at tamu.edu>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Your pens.conf files seem to be missing and could be very relevant. Frank On 15 Nov 2021, at 14:39, Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>> wrote: You want me to post the TSIG keys? Also, the DNS servers themselves are in a ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Your pens.conf files seem to be missing and could be very relevant.

Frank






On 15 Nov 2021, at 14:39, Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>> wrote:

You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for configuring TSIG when using the BIND backend?

Michael

From: frank+pdns at tembo.be<mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be<mailto:frank+pdns at tembo.be>>
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information.

Frank





On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:

Howdy,

I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs:
      11.11.11.11 master
      22.22.22.22 slave

I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>

I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type master;
    allow-transfer { 22.22.22.22 key “keyname”; };
};

On the slave:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 key “keyname”; };   <-- I get a syntax error on this, even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
    keys { “keyname”; };
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set “allow-axfr-ips” back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!

Michael

_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users<https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!V1Y-FSF7ekxZaNudC9FnWchW5gzIoKFxrj6-WLKgJyEBB9fvfDr7ejqewuHkUI4DKN0$>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211116/b6c0d38a/attachment-0001.htm>


More information about the Pdns-users mailing list