[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?
Berry A.W. van Halderen
berry at nlnetlabs.nl
Tue Dec 27 15:04:56 UTC 2016
On 12/27/2016 03:32 PM, PGNet Dev wrote:
> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>> So I think that TSIG authorization isn't supported (yet) for
>> OpenDNSSEC. There is a bit of rationale why for inbound xfers
>> it is less used. Most of the times OpenDNSSEC is used where
>> the incoming zones are from a secured path anyway. Securing
>> by just restricting the address is enough.
>>
>> Because it the setup you're looking for you are using
>> 127.0.0.1, this might be the case as well and just removing
>> the requirement from the bind definition to require TSIGs
>> from 127.0.0.1 will make this work.
>>
>> Yes the documentation does not explicitly state this and it is
>> certainly a feature worth implementing.
>
> IIUC, you're talking about inbound transfer from bind to ods.
>
> As in my latest summary post, I'm not currently having problems with the
> inbound transfer; it's working.
>
> It's the OUTBOUND notify, in my case from ods to the secondary nsd4
> instance, that's failing.
>
A, but initially it was the /inbound/ you were trying to get up and
running. Later on you modified your addns.xml to:
> cat addns.xml
<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
<DNS>
<TSIG>
<Name>ods-key</Name>
<Algorithm>hmac-sha256</Algorithm>
<Secret>xxx...xxx</Secret>
</TSIG>
<Outbound>
<ProvideTransfer>
<Peer>
<Prefix>10.2.2.53</Prefix>
<Key>ods-key</Key>
</Peer>
</ProvideTransfer>
<Notify>
<Remote>
<Address>10.2.2.53</Address>
<Port>53</Port>
</Remote>
</Notify>
</Outbound>
...
</DNS>
</Adapter>
The Remote section here is missing the Key-reference.
\Berry
More information about the Opendnssec-user
mailing list