[Opendnssec-user] TSIG Notify: Migrating from 1.x to 2.x

Havard Eidnes he at uninett.no
Mon Feb 17 17:03:08 UTC 2020


I promise, a single-issue message this time... :)

One thing which tripped me up in my upgrade, using DNS/IXFR/AXFR
both inbound and outbound from OpenDNSSEC, and using TSIG both
for IXFR/AXFR/NOTIFY from the upstream name server:

While OpenDNSSEC 1.4.x in the "addns.xml" file could have

      <!-- Address of host to request XFR from -->


OpenDNSSEC 1.4.x would with this configuration accept TSIG-signed
notify messages from the upstream name server and act on them.

OpenDNSSEC 2.x, however, appears to *require* the <Key> element,
like this:


in order for an incoming TSIG-signed notify to be accepted.  If
you don't, the log will contain

Feb 17 16:57:24 nnn ods-signerd: [query] incoming notify for zone eduvpn.no
Feb 17 16:57:24 nnn ods-signerd: [acl] no match: tsig present but no config
Feb 17 16:57:24 nnn ods-signerd: [query] unauthorized notify for zone eduvpn.no from a.b.c.d: no acl matches

The migration instructions on


fails to mention this change in behaviour.


- Håvard

More information about the Opendnssec-user mailing list