Relevant doc: https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests
After reading this, and trial and error, I'm not sure how I can control the TSIG key that the master uses to sign notifications. I have 1 master and 2 slaves and a tsig key named after each. I am trying to configure things such that the master allows AXFRs to each of the slave TSIGs but uses it's own named TSIG for signing notifications. On the slaves then, I'm trying to configure things such that notifications are allowed by the master TSIG and AXFR requests are signed by their own named TSIG key. It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to sign notifications. Is there any value to this setup? I wanted to be able to rotate the slaves' keys separately. However, the only thing that I can get to work is my historical setup of a single shared TSIG key for all master/slave notifications and zone transfers.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
