[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?
Berry A.W. van Halderen
berry at nlnetlabs.nl
Wed Dec 28 09:51:01 UTC 2016
On 12/27/2016 04:42 PM, PGNet Dev wrote:
> On 12/27/2016 06:32 AM, PGNet Dev wrote:
>> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote:
>>> So I think that TSIG authorization isn't supported (yet) for
>>> OpenDNSSEC. There is a bit of rationale why for inbound xfers
>>> it is less used. Most of the times OpenDNSSEC is used where
>>> the incoming zones are from a secured path anyway. Securing
>>> by just restricting the address is enough.
>
> For reference,
>
> with TSIG-usage ENabled here for inbound xfer, with a purposefully INcorrect key Secret, the xfer fails
>
>
> Dec 27 07:36:18 dns sh[27465]: /usr/local/etc/opendnssec/addns.xml:8: element Secret: Relax-NG validity error : Element Secret failed to validate content
>
> whereas using the CORRECT key Secret,
>
> Dec 27 07:40:34 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482770644, notify serial 0]
>
> It certainly appears that TSIG is required & being used for inbound transfer.
>
Actually, the "Relax-NG" error means it could not parse the XML file
because apparently that field is required. Doesn't tell if it is
actually used. This is a historic decision to require all fields,
even if not used. But apparently this isn't your issue.
\Berry
More information about the Opendnssec-user
mailing list