<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2. Provisioning signed notification and AXFR requests</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="tsig.html" title="Chapter 13. TSIG: shared secret authorization and authentication" /><link rel="prev" href="tsig.html" title="Chapter 13. TSIG: shared secret authorization and authentication" /><link rel="next" href="allow-axfr-from.html" title="Chapter 14. AXFR ACLs" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">2. Provisioning signed notification and AXFR requests</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="tsig.html">Prev</a> </td><th width="60%" align="center">Chapter 13. TSIG: shared secret authorization and authentication</th><td width="20%" align="right"> <a accesskey="n" href="allow-axfr-from.html">Next</a></td></tr></table><hr /></div><div class="section" title="2. Provisioning signed notification and AXFR requests"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="tsig-outbound-notify-axfr"></a>2. Provisioning signed notification and AXFR requests</h2></div></div></div><p>
To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its master(s), set the
AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used.
</p><p>
The actual TSIG key must also be provisioned, as outlined in the previous section.
</p><p>
For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows:
</p><pre class="programlisting">
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='powerdnssec.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test');
</pre><p>
</p><p>
This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section.
</p><p>
In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements:
</p><pre class="programlisting">
key test. {
algorithm hmac-md5;
secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
};
server 127.0.0.1 {
keys { test.; };
};
zone "powerdnssec.org" {
type slave;
masters { 127.0.0.1; };
file "powerdnssec.org";
};
</pre><p>
Except that in this case, TSIG will be used for all communications with the master, not just those about AXFR requests.
</p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="tsig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="tsig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="allow-axfr-from.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. TSIG: shared secret authorization and authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. AXFR ACLs</td></tr></table></div></body></html>
