[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

[Berry A.W. van Halderen]

Dear PGDev (???), et al,

Let me respond first on a few items that already were partially
mentioned and then reply to the real issue.  Also I do need to
mention I'm not absolutely certain on all items;

Network monitoring on the loopback device doesn't work that nice
for Linux.  The kernel cuts short large parts of the network
stack to you might not see traffic from/to it.

There have been problems on *BSD machines, where it would not
send packets over the right interface.  Linux normally selects
the right interface, where on *BSD you would need to bind
to a specific interface.

When using an adapter with a DNS/Inbound/RequestTransfer/Remote
specification, thus indicating you are allowing transfers
incoming from a certain source, you also need to specifc
an AllowNotify to indicate that you also allow a DNS NOTIFY
to be accepted.  This, unlike bind, is not automatically
enabled and is more in line with NSD/Unbound specification.

These are all not your real problem.  Looking at the way
OpenDNSSEC works, the TSIG can be specified in the configuration
because a Remote section is the same for inbound as well as
outbound transfers, but actually for inbound transfers it is
not used.

So I think that TSIG authorization isn't supported (yet) for
OpenDNSSEC.  There is a bit of rationale why for inbound xfers
it is less used.  Most of the times OpenDNSSEC is used where
the incoming zones are from a secured path anyway.  Securing
by just restricting the address is enough.

Because it the setup you're looking for you are using
127.0.0.1, this might be the case as well and just removing
the requirement from the bind definition to require TSIGs
from 127.0.0.1 will make this work.

Yes the documentation does not explicitly state this and it is
certainly a feature worth implementing.

\Berry