On 15/01/2024 16:53, Einar Bjarni Halldórsson wrote:
Hi Einar,
But do I need the TSIG key configured both in remote section, and in acl section? I guess my point is, what is the purpose of the key attribute in remote section?
If you configure a TSIG key in the remote section, then the NOTIFY will be signed with the key. This does no harm, but signed NOTIFY messages are unnecessary. But be careful. If the remote is Knot DNS or NSD, and has been configured with a notify acl containing a key, then, if I recall correctly, it will ignore an unsigned NOTIFY. If it's BIND, then I think it doesn't care. So if you're going to remove the key from your "remote" definition, ensure that the remote will accept your unsigned NOTIFY.
Regards, Anand --
