There is an issue on github about this. You are correct, pdns just uses the
first tsig key returned by the backend. The workaround was a config option to
disable signed notifications.
Klaus
Gesendet über BlackBerry Work (www.blackberry.com)
________________________________
Von: Matthew Monaco via Pdns-users <pdns-users@mailman.powerdns.com>
Gesendet: 01.04.2020 23:53
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] Clarification on which TSIG key signs notifications
Relevant doc:
https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests
After reading this, and trial and error, I'm not sure how I can control the
TSIG key that the master uses to sign notifications.
I have 1 master and 2 slaves and a tsig key named after each. I am trying to
configure things such that the master allows AXFRs to each of the slave TSIGs
but uses it's own named TSIG for signing notifications. On the slaves then, I'm
trying to configure things such that notifications are allowed by the master
TSIG and AXFR requests are signed by their own named TSIG key.
It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to
sign notifications.
Is there any value to this setup? I wanted to be able to rotate the slaves'
keys separately. However, the only thing that I can get to work is my
historical setup of a single shared TSIG key for all master/slave notifications
and zone transfers.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
