[Pdns-users] How to configure TSIG with BIND backend

Wed Nov 17 13:06:49 UTC 2021

Thanks Frank,

You’re trying to troubleshoot my config.  That is *NOT* what I’m asking.  BTW, there’s nothing secret in my config.  But:

  1.  It is in a lab and not accessible from outside (mostly because I don’t know how to secure it yet, but also because it has no useful purpose outside the lab so we keep the threat surface as small as possible)
  2.  It is irrelevant to the question.

Again, my question is simple:  what is the proper syntax for enabling TSIG using BIND backend on master and slave?

Once I know what I’m *supposed* to do, then if I try it and it fails, that’s the time to figure out what’s wrong.  Right now, I don’t even know the proper way to set it up.

Michael E Fox
Sr. Assoc. Director, ITEC
Texas A&M University
979-862-4036 (Office)
michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+pdns at tembo.be <frank+pdns at tembo.be>
Sent: Wednesday, November 17, 2021 2:56 AM
To: Fox, Michael E. <michael.fox at tamu.edu>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, First up: tsig, DNSSEC etc way easier with a "database" backend (even a lightweight one) so you might want to reconsider your backend choice. The reason I am asking for the pdns.conf is twofold: First up, there's this message: ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
Hi Michael,

First up: tsig, DNSSEC etc way easier with a "database" backend (even a lightweight one) so you might want to reconsider your backend choice.

The reason I am asking for the pdns.conf is twofold:

First up, there's this message:

> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Which might be caused by a more fundamental issue in the config.

Secondly, as mentioned in the docs, TSIG usually requires dnssec infrastructure in the backend. Your pdns.conf might indicate incorrect setups there.

I completely understand you're not willing to communicate your configuration, or that that information can only be shared after signing an NDA. And I am perfectly fine to sign one and look at your very specific problem in the scope of a consulting engagement, I am sure others on this list can provide you that same service. However, this pdns-users-ml mailinglist won't give you much answers if we don't have access to full config.

Kind Regards,

Frank

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!UqYq6e79z_hb7J6duax09izRZcqQdCixuhVY3KNkvYDtlZqZtT70us0kfLVtNpU2Irs$>

On 16 Nov 2021, at 21:20, Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>> wrote:

Frank,

Again, I’m not asking what is wrong with my config.
I’m asking for the proper syntax to configure TSIG between two PowerDNS systems (master/primary and slave/secondary), both with a BIND backend.

The existing documentation page seems to apply only (or mostly) to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!UqYq6e79z_hb7J6duax09izRZcqQdCixuhVY3KNkvYDtlZqZtT70us0kfLVtswi3h88$>
From what I can tell, the ‘pdnsutil’ commands are acting on the database.
And the example BIND config on that page only shows the slave side of the config (and it says it’s a slave to itself [master=127.0.0.1]).

An example config snipit, using example IPs and domain name, is what I’m looking for.
Specifically, what should go in named.conf and pdns.conf for the master and the slave?

Can someone help with that?

Thanks much.

Michael E Fox
Sr. Assoc. Director, ITEC
Texas A&M University
979-862-4036 (Office)
michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+pdns at tembo.be<mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be<mailto:frank+pdns at tembo.be>>
Sent: Monday, November 15, 2021 8:25 AM
To: Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
Hi Michael,

Your pens.conf files seem to be missing and could be very relevant.

Frank

On 15 Nov 2021, at 14:39, Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>> wrote:

You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for configuring TSIG when using the BIND backend?

Michael

From: frank+pdns at tembo.be<mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be<mailto:frank+pdns at tembo.be>>
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. <michael.fox at tamu.edu<mailto:michael.fox at tamu.edu>>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information.

Frank

On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:

Howdy,

I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs:
      11.11.11.11 master
      22.22.22.22 slave

I’ve got a master and slave configured with three zones and doing zone transfers.  Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I’d like to configure TSIG.  But the instructions here seem to be related to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>

I’d like to stick to the BIND backend.  But I get errors when trying the same type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type master;
    allow-transfer { 22.22.22.22 key “keyname”; };
};

On the slave:

key “keyname” {
    algorithm hmac-sha256;
    secret “…”;
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 key “keyname”; };   <-- I get a syntax error on this, even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
    keys { “keyname”; };
};

zone “zonename” {
    file …;
    type slave;
    masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set “allow-axfr-ips” back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!

Michael

_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users<https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!V1Y-FSF7ekxZaNudC9FnWchW5gzIoKFxrj6-WLKgJyEBB9fvfDr7ejqewuHkUI4DKN0$>

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!UqYq6e79z_hb7J6duax09izRZcqQdCixuhVY3KNkvYDtlZqZtT70us0kfLVtNpU2Irs$>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211117/38a74eb1/attachment-0001.htm>