[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Tue Dec 27 15:42:33 UTC 2016

On 12/27/2016 06:32 AM, PGNet Dev wrote:
> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>> So I think that TSIG authorization isn't supported (yet) for
>> OpenDNSSEC.  There is a bit of rationale why for inbound xfers
>> it is less used.  Most of the times OpenDNSSEC is used where
>> the incoming zones are from a secured path anyway.  Securing
>> by just restricting the address is enough.

For reference,

with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect key Secret, the xfer fails

	Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8: element Secret: Relax-NG validity error : Element Secret failed to validate content

whereas using the CORRECT key Secret,

	Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]

It certainly appears that TSIG is required & being used for inbound transfer.

More information about the Opendnssec-user mailing list