[Pdns-users] How to configure TSIG with BIND backend

Wed Nov 17 08:55:31 UTC 2021

Hi Michael,

First up: tsig, DNSSEC etc way easier with a "database" backend (even a lightweight one) so you might want to reconsider your backend choice.

The reason I am asking for the pdns.conf is twofold:

First up, there's this message:

> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Which might be caused by a more fundamental issue in the config. 

Secondly, as mentioned in the docs, TSIG usually requires dnssec infrastructure in the backend. Your pdns.conf might indicate incorrect setups there.

I completely understand you're not willing to communicate your configuration, or that that information can only be shared after signing an NDA. And I am perfectly fine to sign one and look at your very specific problem in the scope of a consulting engagement, I am sure others on this list can provide you that same service. However, this pdns-users-ml mailinglist won't give you much answers if we don't have access to full config.

Kind Regards,

Frank

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/>

> On 16 Nov 2021, at 21:20, Fox, Michael E. <michael.fox at tamu.edu <mailto:michael.fox at tamu.edu>> wrote:
> 
> Frank,
>  
> Again, I’m not asking what is wrong with my config.
> I’m asking for the proper syntax to configure TSIG between two PowerDNS systems (master/primary and slave/secondary), both with a BIND backend. 
>  
> The existing documentation page seems to apply only (or mostly) to DB backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr <https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr>
> From what I can tell, the ‘pdnsutil’ commands are acting on the database.
> And the example BIND config on that page only shows the slave side of the config (and it says it’s a slave to itself [master=127.0.0.1]).
>  
> An example config snipit, using example IPs and domain name, is what I’m looking for. 
> Specifically, what should go in named.conf and pdns.conf for the master and the slave?
>  
> Can someone help with that?
>  
> Thanks much.
>  
> Michael E Fox
> Sr. Assoc. Director, ITEC
> Texas A&M University
> 979-862-4036 (Office)
> michael.fox at tamu.edu <mailto:michael.fox at tamu.edu>
> https://itec.tamu.edu <https://itec.tamu.edu/>
>  
> Join us for Interoperability Institute ’22:  May 2-6, 2022
> https://itec.tamu.edu/interop22/ <https://itec.tamu.edu/interop22/>
>  
> From: frank+pdns at tembo.be <mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be <mailto:frank+pdns at tembo.be>> 
> Sent: Monday, November 15, 2021 8:25 AM
> To: Fox, Michael E. <michael.fox at tamu.edu <mailto:michael.fox at tamu.edu>>
> Cc: pdns-users-ml <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>>
> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend
>  
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi Michael,
>  
> Your pens.conf files seem to be missing and could be very relevant.
>  
> Frank
>  
>  
>  
>  
> 
> 
> On 15 Nov 2021, at 14:39, Fox, Michael E. <michael.fox at tamu.edu <mailto:michael.fox at tamu.edu>> wrote:
>  
> You want me to post the TSIG keys?
>  
> Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t see the relevance of specific domain names to my question.
>  
> Let me just ask the question a different way:  What is the proper syntax for configuring TSIG when using the BIND backend?
>  
> Michael
>  
> From: frank+pdns at tembo.be <mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be <mailto:frank+pdns at tembo.be>> 
> Sent: Monday, November 15, 2021 5:27 AM
> To: Fox, Michael E. <michael.fox at tamu.edu <mailto:michael.fox at tamu.edu>>
> Cc: pdns-users-ml <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>>
> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend
>  
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi Michael,
>  
> Can you provide full (unedited) config files please?
>  
> A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ <https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information.
>  
> Frank
>  
>  
> 
> 
> 
> On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
>  
> Howdy,
>  
> I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).
>  
> Fake IPs:
>       11.11.11.11 master
>       22.22.22.22 slave
>  
> I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:
>  
> allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22
>  
> Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr <https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>
>  
> I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.
>  
> Here’s what I did:
>  
> On the master:
>  
> key “keyname” {
>     algorithm hmac-sha256;
>     secret “…”;
> };
>  
> zone “zonename” {
>     file …;
>     type master;
>     allow-transfer { 22.22.22.22 key “keyname”; };
> };
>  
> On the slave:
>  
> key “keyname” {
>     algorithm hmac-sha256;
>     secret “…”;
> };
>  
> zone “zonename” {
>     file …;
>     type slave;
>     masters { 11.11.11.11 key “keyname”; };   ß I get a syntax error on this, even though it works in regular BIND.
> };
>  
> So, I changed the slave to:
>  
> server 11.11.11.11 {
>     keys { “keyname”; };
> };
>  
> zone “zonename” {
>     file …;
>     type slave;
>     masters { 11.11.11.11 };  ß no more syntax error.
> };
>  
> And, in pdns.conf, I set “allow-axfr-ips” back to the default:
>  
> allow-axfr-ips=127.0.0.0/8,::1
>  
> But when I restart the slave, I get the following error: 
>  
> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)
>  
> Any help would be greatly appreciated!
>  
> Michael
>  
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$>
>  
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be <https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>
>  
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be <https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!V1Y-FSF7ekxZaNudC9FnWchW5gzIoKFxrj6-WLKgJyEBB9fvfDr7ejqewuHkUI4DKN0$>
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211117/c2b5a71e/attachment-0001.htm>