Thanks. I'll show myself out. I read this just after hitting send: https://doc.powerdns.com/authoritative/settings.html#send-signed-notify.
I probably don't need TSIG anyway since this is all happening over wireguard links with address in the fd00:: address space. On Wed, Apr 1, 2020 at 3:57 PM Klaus Darilion <klaus.daril...@nic.at> wrote: > There is an issue on github about this. You are correct, pdns just uses > the first tsig key returned by the backend. The workaround was a config > option to disable signed notifications. > > Klaus > > > Gesendet über BlackBerry Work (www.blackberry.com) > ------------------------------ > *Von: *Matthew Monaco via Pdns-users <pdns-users@mailman.powerdns.com> > *Gesendet: *01.04.2020 23:53 > *An: *pdns-users@mailman.powerdns.com > *Betreff: *[Pdns-users] Clarification on which TSIG key signs > notifications > > Relevant doc: > > https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests > > After reading this, and trial and error, I'm not sure how I can control > the TSIG key that the master uses to sign notifications. > > I have 1 master and 2 slaves and a tsig key named after each. I am trying > to configure things such that the master allows AXFRs to each of the slave > TSIGs but uses it's own named TSIG for signing notifications. On the slaves > then, I'm trying to configure things such that notifications are allowed by > the master TSIG and AXFR requests are signed by their own named TSIG key. > > It seems to me like the master is just using the first TSIG-ALLOW-AXFR key > to sign notifications. > > Is there any value to this setup? I wanted to be able to rotate the > slaves' keys separately. However, the only thing that I can get to work is > my historical setup of a single shared TSIG key for all master/slave > notifications and zone transfers. >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users