On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote: > Hi, > > so the intention is to allow AXFRs from a set of static IPs and > additionally from any IP with a valid TSIG signature. > > This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR > on the master for the domains affected (and no TSIG setting on the > slave as the slave would have a static IP anyway). > > No with 4.x the behaviour seems to have changed and any notifications > from the master are now also signed with that TSIG key (as specified > in TSIG-ALLOW-AXFR - there is no entry in AXFR-MASTER-TSIG). Problem > is that the slave now ignores those notifications as the slave doesn't > necessarily have the TSIG key. > > The description in the documentation seems to be a bit vague, but kind > of suggests that AXFR-MASTER-TSIG should be used for notification > instead of TSIG-ALLOW-AXFR... At least it mentions TSIG-ALLOW-AXFR > under "Provisioning signed notification and AXFR requests". > > Any comments? At least the behaviour seems to be undesirable for my > use-case. > > > Christof >
What is the point of using TSIG for AXFR if your slave hasn't got the key in the first place? Aki _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
