On 12/27/2016 04:42 PM, PGNet Dev wrote: > On 12/27/2016 06:32 AM, PGNet Dev wrote: >> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote: >>> So I think that TSIG authorization isn't supported (yet) for >>> OpenDNSSEC. There is a bit of rationale why for inbound xfers >>> it is less used. Most of the times OpenDNSSEC is used where >>> the incoming zones are from a secured path anyway. Securing >>> by just restricting the address is enough. > > For reference, > > with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect > key Secret, the xfer fails > > > Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8: > element Secret: Relax-NG validity error : Element Secret failed to validate > content > > whereas using the CORRECT key Secret, > > Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done > [notify acquired 0, serial on disk 1482770644, notify serial 0] > > It certainly appears that TSIG is required & being used for inbound transfer. >
Actually, the "Relax-NG" error means it could not parse the XML file because apparently that field is required. Doesn't tell if it is actually used. This is a historic decision to require all fields, even if not used. But apparently this isn't your issue. \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
