Hi, so the intention is to allow AXFRs from a set of static IPs and additionally from any IP with a valid TSIG signature.
This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR on the master for the domains affected (and no TSIG setting on the slave as the slave would have a static IP anyway). No with 4.x the behaviour seems to have changed and any notifications from the master are now also signed with that TSIG key (as specified in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem is that the slave now ignores those notifications as the slave doesn't necessarily have the TSIG key. The description in the documentation seems to be a bit vague, but kind of suggests that AXFR-MASTER-TSIG should be used for notification instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR under "Provisioning signed notification and AXFR requests". Any comments? At least the behaviour seems to be undesirable for my use-case. Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
