[Opendnssec-user] TSIG Notify: Migrating from 1.x to 2.x
Havard Eidnes
he at uninett.no
Mon Feb 17 17:03:08 UTC 2020
Hi,
I promise, a single-issue message this time... :)
One thing which tripped me up in my upgrade, using DNS/IXFR/AXFR
both inbound and outbound from OpenDNSSEC, and using TSIG both
for IXFR/AXFR/NOTIFY from the upstream name server:
While OpenDNSSEC 1.4.x in the "addns.xml" file could have
<Inbound>
<!-- Address of host to request XFR from -->
<RequestTransfer>
<Remote>
<Address>a.b.c.d</Address>
<Key>keyname</Key>
</Remote>
</RequestTransfer>
<AllowNotify>
<Peer>
<Prefix>a.b.c.d</Prefix>
</Peer>
</AllowNotify>
</Inbound>
OpenDNSSEC 1.4.x would with this configuration accept TSIG-signed
notify messages from the upstream name server and act on them.
OpenDNSSEC 2.x, however, appears to *require* the <Key> element,
like this:
<AllowNotify>
<Peer>
<Prefix>a.b.c.d</Prefix>
<Key>keyname</Key>
</Peer>
</AllowNotify>
in order for an incoming TSIG-signed notify to be accepted. If
you don't, the log will contain
Feb 17 16:57:24 nnn ods-signerd: [query] incoming notify for zone eduvpn.no
Feb 17 16:57:24 nnn ods-signerd: [acl] no match: tsig present but no config
Feb 17 16:57:24 nnn ods-signerd: [query] unauthorized notify for zone eduvpn.no from a.b.c.d: no acl matches
The migration instructions on
https://www.opendnssec.org/migration-from-1-4-to-2-1/
fails to mention this change in behaviour.
Regards,
- Håvard
More information about the Opendnssec-user
mailing list