Hi Marc,
On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote:
> Here is my config:
> [isc-dhcp] ----dns update---->[dnsdist--->pdns authoritative]
> the isc dhcp server(v4.4.2) send a dns update query with a tsig
> key(hmac-md5). (I see it with tcpdump/wireshark).
> When the authoritative get the request, it said : "UPDATE (9470) from
> 127.0.0.1 for my-domain.com: TSIG key required, but packet does not
> contain key. Sending REFUSED"
>
> my dnsdist config is:
>
> |newServer({address='127.0.0.1:5300', pool='auth'})
> addAction(OpcodeRule(DNSOpcode.Update), PoolAction("auth") ) |
>
> my authoritative config:
>
> |allow-dnsupdate-from=127.0.0.0/8 dnsupdate=yes |
>
> I miss something ?Would you mind sharing the exact versions of dnsdist and PowerDNS authoritative server you are using? Did you try capturing the packet leaving dnsdist toward the authoritative server to confirm that the TSIG key is still there? Your configuration does not require the addition of EDNS Client Subnet so dnsdist shouldn't be altering the packet at all, but it would be nice to know what the authoritative server actually receives. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
