You want me to post the TSIG keys? Also, the DNS servers themselves are in a lab, behind a firewall. But I don’t see the relevance of specific domain names to my question.
Let me just ask the question a different way: What is the proper syntax for configuring TSIG when using the BIND backend? Michael From: frank+p...@tembo.be <frank+p...@tembo.be> Sent: Monday, November 15, 2021 5:27 AM To: Fox, Michael E. <michael....@tamu.edu> Cc: pdns-users-ml <pdns-users@mailman.powerdns.com> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend Hi Michael, Can you provide full (unedited) config files please? A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ for more information. ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi Michael, Can you provide full (unedited) config files please? A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> for more information. Frank On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users <pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com>> wrote: Howdy, I’m new to PowerDNS. I’m using the authoritative server with the BIND backend for some testing. (Don’t need power or complexity of a DB backend). Fake IPs: 11.11.11.11 master 22.22.22.22 slave I’ve got a master and slave configured with three zones and doing zone transfers. Initially, I didn’t have TSIGs and have the following configured in pdns.conf on the master: allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22 Now I’d like to configure TSIG. But the instructions here seem to be related to DB backends: https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$> I’d like to stick to the BIND backend. But I get errors when trying the same type of configuration options in named.conf that work in regular BIND. Here’s what I did: On the master: key “keyname” { algorithm hmac-sha256; secret “…”; }; zone “zonename” { file …; type master; allow-transfer { 22.22.22.22 key “keyname”; }; }; On the slave: key “keyname” { algorithm hmac-sha256; secret “…”; }; zone “zonename” { file …; type slave; masters { 11.11.11.11 key “keyname”; }; <-- I get a syntax error on this, even though it works in regular BIND. }; So, I changed the slave to: server 11.11.11.11 { keys { “keyname”; }; }; zone “zonename” { file …; type slave; masters { 11.11.11.11 }; <-- no more syntax error. }; And, in pdns.conf, I set “allow-axfr-ips” back to the default: allow-axfr-ips=127.0.0.0/8,::1 But when I restart the slave, I get the following error: Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized (This was the first time. Excluding zone from slave-checks until 1636827466) Any help would be greatly appreciated! Michael _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com<mailto:Pdns-users@mailman.powerdns.com> https://mailman.powerdns.com/mailman/listinfo/pdns-users<https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$> Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
