Hi Michael, Your pens.conf files seem to be missing and could be very relevant.
Frank > On 15 Nov 2021, at 14:39, Fox, Michael E. <michael....@tamu.edu > <mailto:michael....@tamu.edu>> wrote: > > You want me to post the TSIG keys? > > Also, the DNS servers themselves are in a lab, behind a firewall. But I > don’t see the relevance of specific domain names to my question. > > Let me just ask the question a different way: What is the proper syntax for > configuring TSIG when using the BIND backend? > > Michael > > From: frank+p...@tembo.be <mailto:frank+p...@tembo.be> <frank+p...@tembo.be > <mailto:frank+p...@tembo.be>> > Sent: Monday, November 15, 2021 5:27 AM > To: Fox, Michael E. <michael....@tamu.edu <mailto:michael....@tamu.edu>> > Cc: pdns-users-ml <pdns-users@mailman.powerdns.com > <mailto:pdns-users@mailman.powerdns.com>> > Subject: Re: [Pdns-users] How to configure TSIG with BIND backend > > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > This message came from outside your organization. > ZjQcmQRYFpfptBannerEnd > Hi Michael, > > Can you provide full (unedited) config files please? > > A lot of info is missing to be able to help you fix this problem. Please see > https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ > <https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$> > for more information. > > Frank > > > > > On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users > <pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com>> > wrote: > > Howdy, > > I’m new to PowerDNS. I’m using the authoritative server with the BIND > backend for some testing. (Don’t need power or complexity of a DB backend). > > Fake IPs: > 11.11.11.11 master > 22.22.22.22 slave > > I’ve got a master and slave configured with three zones and doing zone > transfers. Initially, I didn’t have TSIGs and have the following configured > in pdns.conf on the master: > > allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22 > > Now I’d like to configure TSIG. But the instructions here seem to be related > to DB backends: > https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr > > <https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$> > > I’d like to stick to the BIND backend. But I get errors when trying the same > type of configuration options in named.conf that work in regular BIND. > > Here’s what I did: > > On the master: > > key “keyname” { > algorithm hmac-sha256; > secret “…”; > }; > > zone “zonename” { > file …; > type master; > allow-transfer { 22.22.22.22 key “keyname”; }; > }; > > On the slave: > > key “keyname” { > algorithm hmac-sha256; > secret “…”; > }; > > zone “zonename” { > file …; > type slave; > masters { 11.11.11.11 key “keyname”; }; ß I get a syntax error on this, > even though it works in regular BIND. > }; > > So, I changed the slave to: > > server 11.11.11.11 { > keys { “keyname”; }; > }; > > zone “zonename” { > file …; > type slave; > masters { 11.11.11.11 }; ß no more syntax error. > }; > > And, in pdns.conf, I set “allow-axfr-ips” back to the default: > > allow-axfr-ips=127.0.0.0/8,::1 > > But when I restart the slave, I get the following error: > > Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR > chunk error: Server Not Authoritative for zone / Not Authorized (This was the > first time. Excluding zone from slave-checks until 1636827466) > > Any help would be greatly appreciated! > > Michael > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> > https://mailman.powerdns.com/mailman/listinfo/pdns-users > <https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$> > > Frank Louwers > PowerDNS Certified Consultant @ Kiwazo.be > <https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$> Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
