On Mon, 29 Aug 2016 17:22:38 +0300, Aki Tuomi wrote: > On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote: >> so the intention is to allow AXFRs from a set of static IPs and >> additionally from any IP with a valid TSIG signature. [...] > What is the point of using TSIG for AXFR if your slave hasn't got the key > in the first place?
I tried to explain that in the first sentence, i.e. not using TSIG for AXFRs from slaves, but allowing additional clients (without static IP addresses) to do an AXFR via a TSIG key. Also, not all third-party secondary DNS servers might allow configuration of TSIG keys for AXFRs, but configuring a TSIG key in TSIG-ALLOW-AXFR on the master will result in those secondary DNS servers ignoring any notifications sent by the master (as they don't have the TSIG key they are required to ignore the notification according to the spec). Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
