[Opendnssec-user] TSIG Notify: Migrating from 1.x to 2.x

Havard Eidnes he at uninett.no
Mon Feb 17 17:03:08 UTC 2020


Hi,

I promise, a single-issue message this time... :)

One thing which tripped me up in my upgrade, using DNS/IXFR/AXFR
both inbound and outbound from OpenDNSSEC, and using TSIG both
for IXFR/AXFR/NOTIFY from the upstream name server:

While OpenDNSSEC 1.4.x in the "addns.xml" file could have

    <Inbound>
      <!-- Address of host to request XFR from -->
      <RequestTransfer>
        <Remote>
          <Address>a.b.c.d</Address>
          <Key>keyname</Key>
        </Remote>
      </RequestTransfer>

      <AllowNotify>
        <Peer>
          <Prefix>a.b.c.d</Prefix>
        </Peer>
      </AllowNotify>
    </Inbound>

OpenDNSSEC 1.4.x would with this configuration accept TSIG-signed
notify messages from the upstream name server and act on them.

OpenDNSSEC 2.x, however, appears to *require* the <Key> element,
like this:

      <AllowNotify>
        <Peer>
          <Prefix>a.b.c.d</Prefix>
          <Key>keyname</Key>
        </Peer>
      </AllowNotify>

in order for an incoming TSIG-signed notify to be accepted.  If
you don't, the log will contain

Feb 17 16:57:24 nnn ods-signerd: [query] incoming notify for zone eduvpn.no
Feb 17 16:57:24 nnn ods-signerd: [acl] no match: tsig present but no config
Feb 17 16:57:24 nnn ods-signerd: [query] unauthorized notify for zone eduvpn.no from a.b.c.d: no acl matches

The migration instructions on

  https://www.opendnssec.org/migration-from-1-4-to-2-1/

fails to mention this change in behaviour.

Regards,

- Håvard


More information about the Opendnssec-user mailing list