[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

Berry A.W. van Halderen berry at nlnetlabs.nl
Wed Dec 28 09:51:01 UTC 2016

On 12/27/2016 04:42 PM, PGNet Dev wrote:
> On 12/27/2016 06:32 AM, PGNet Dev wrote:
>> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>>> So I think that TSIG authorization isn't supported (yet) for
>>> OpenDNSSEC.  There is a bit of rationale why for inbound xfers
>>> it is less used.  Most of the times OpenDNSSEC is used where
>>> the incoming zones are from a secured path anyway.  Securing
>>> by just restricting the address is enough.
> For reference,
> with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect key Secret, the xfer fails
> 	Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8: element Secret: Relax-NG validity error : Element Secret failed to validate content
> whereas using the CORRECT key Secret,
> 	Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]
> It certainly appears that TSIG is required & being used for inbound transfer.

Actually, the "Relax-NG" error means it could not parse the XML file
because apparently that field is required.  Doesn't tell if it is
actually used.  This is a historic decision to require all fields,
even if not used.  But apparently this isn't your issue.


More information about the Opendnssec-user mailing list