[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?
PGNet Dev
pgnet.dev at gmail.com
Tue Dec 27 15:42:33 UTC 2016
On 12/27/2016 06:32 AM, PGNet Dev wrote:
> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>> So I think that TSIG authorization isn't supported (yet) for
>> OpenDNSSEC. There is a bit of rationale why for inbound xfers
>> it is less used. Most of the times OpenDNSSEC is used where
>> the incoming zones are from a secured path anyway. Securing
>> by just restricting the address is enough.
For reference,
with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect key Secret, the xfer fails
Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8: element Secret: Relax-NG validity error : Element Secret failed to validate content
whereas using the CORRECT key Secret,
Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]
It certainly appears that TSIG is required & being used for inbound transfer.
More information about the Opendnssec-user
mailing list