Dear PGDev (???), et al, Let me respond first on a few items that already were partially mentioned and then reply to the real issue. Also I do need to mention I'm not absolutely certain on all items;
Network monitoring on the loopback device doesn't work that nice for Linux. The kernel cuts short large parts of the network stack to you might not see traffic from/to it. There have been problems on *BSD machines, where it would not send packets over the right interface. Linux normally selects the right interface, where on *BSD you would need to bind to a specific interface. When using an adapter with a DNS/Inbound/RequestTransfer/Remote specification, thus indicating you are allowing transfers incoming from a certain source, you also need to specifc an AllowNotify to indicate that you also allow a DNS NOTIFY to be accepted. This, unlike bind, is not automatically enabled and is more in line with NSD/Unbound specification. These are all not your real problem. Looking at the way OpenDNSSEC works, the TSIG can be specified in the configuration because a Remote section is the same for inbound as well as outbound transfers, but actually for inbound transfers it is not used. So I think that TSIG authorization isn't supported (yet) for OpenDNSSEC. There is a bit of rationale why for inbound xfers it is less used. Most of the times OpenDNSSEC is used where the incoming zones are from a secured path anyway. Securing by just restricting the address is enough. Because it the setup you're looking for you are using 127.0.0.1, this might be the case as well and just removing the requirement from the bind definition to require TSIGs from 127.0.0.1 will make this work. Yes the documentation does not explicitly state this and it is certainly a feature worth implementing. \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
