<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2. Provisioning signed notification and AXFR requests</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="tsig.html" title="Chapter 13. TSIG: shared secret authorization and authentication" /><link rel="prev" href="tsig.html" title="Chapter 13. TSIG: shared secret authorization and authentication" /><link rel="next" href="allow-axfr-from.html" title="Chapter 14. AXFR ACLs" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">2. Provisioning signed notification and AXFR requests</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="tsig.html">Prev</a> </td><th width="60%" align="center">Chapter 13. TSIG: shared secret authorization and authentication</th><td width="20%" align="right"> <a accesskey="n" href="allow-axfr-from.html">Next</a></td></tr></table><hr /></div><div class="section" title="2. Provisioning signed notification and AXFR requests"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="tsig-outbound-notify-axfr"></a>2. Provisioning signed notification and AXFR requests</h2></div></div></div><p> To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its master(s), set the AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used. </p><p> The actual TSIG key must also be provisioned, as outlined in the previous section. </p><p> For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows: </p><pre class="programlisting"> sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); sql> select id from domains where name='powerdnssec.org'; 5 sql> insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test'); </pre><p> </p><p> This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section. </p><p> In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements: </p><pre class="programlisting"> key test. { algorithm hmac-md5; secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; }; server 127.0.0.1 { keys { test.; }; }; zone "powerdnssec.org" { type slave; masters { 127.0.0.1; }; file "powerdnssec.org"; }; </pre><p> Except that in this case, TSIG will be used for all communications with the master, not just those about AXFR requests. </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="tsig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="tsig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="allow-axfr-from.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. TSIG: shared secret authorization and authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. AXFR ACLs</td></tr></table></div></body></html>