On 12/27/2016 06:32 AM, PGNet Dev wrote:
> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>> So I think that TSIG authorization isn't supported (yet) for
>> OpenDNSSEC. There is a bit of rationale why for inbound xfers
>> it is less used. Most of the times OpenDNSSEC is used where
>> the incoming zones are from a secured path anyway. Securing
>> by just restricting the address is enough.
For reference,
with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect
key Secret, the xfer fails
Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8:
element Secret: Relax-NG validity error : Element Secret failed to validate
content
whereas using the CORRECT key Secret,
Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done
[notify acquired 0, serial on disk 1482770644, notify serial 0]
It certainly appears that TSIG is required & being used for inbound transfer.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
