On Mon, Aug 29, 2016 at 04:36:17PM +0200, Christof Meerwald wrote: > On Mon, 29 Aug 2016 17:22:38 +0300, Aki Tuomi wrote: > > On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote: > >> so the intention is to allow AXFRs from a set of static IPs and > >> additionally from any IP with a valid TSIG signature. > [...] > > What is the point of using TSIG for AXFR if your slave hasn't got the key > > in the first place? > > I tried to explain that in the first sentence, i.e. not using TSIG for > AXFRs from slaves, but allowing additional clients (without static IP > addresses) to do an AXFR via a TSIG key. > > Also, not all third-party secondary DNS servers might allow > configuration of TSIG keys for AXFRs, but configuring a TSIG key in > TSIG-ALLOW-AXFR on the master will result in those secondary DNS > servers ignoring any notifications sent by the master (as they don't > have the TSIG key they are required to ignore the notification > according to the spec). > > > Christof
I see. It seems there should be some way to disable notification signatures. Perhaps you could open an issue at https://github.com/PowerDNS/pdns/issues? Aki _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
