[PARTIALLY SOLVED] [Opendnssec-user] zones with TLSA records need to: ods-signerd: [tools] unable to read zone

Michael Grimm trashcan at odo.in-berlin.de
Sun Apr 26 19:48:15 UTC 2015

Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> Thus, I am left with understanding/debugging why xfr from my nsd hidden primary will fail for zones with TLSA records set, and why the very same zone files with commented TLSA records can by xfr-ed without any issue.

Well, I do have to report that neither opendnssec nor nsd is to "blame" regarding this issue.

No, it was correlated with my attempts to implement NAT66 some weeks ago. NATing http, smtp, and most other protocols do work well, but the domain protocol might have some issues with FBSD's pf firewall and it's NAT66 implementation, though. Reverting back to IPv6 to IPV6 communication without NAT66 brought back full xfr-ing of my "problematic" zonefiles.

I really don't understand it, and I do not have the capabilities of understanding the technical background, but anyway, it's working again ;-)

Thanks for listening, and regards,

More information about the Opendnssec-user mailing list