15 Led
2024
15 Led
'24
18:22
On 15 Jan 2024, at 16:03, Anand Buddhdev
<anandb(a)ripe.net> wrote:
On 15/01/2024 16:53, Einar Bjarni Halldórsson wrote:
Hi Einar,
Ah, of coure! I blanked on the notfy being signed.
It all makes sense now.
Thank you,
.einar
But do I need the TSIG key configured both in
remote section, and in acl section?
I guess my point is, what is the purpose of the key attribute in remote section?
If you configure a TSIG key in the remote section, then the NOTIFY will be signed with
the key. This does no harm, but signed NOTIFY messages are unnecessary. But be careful. If
the remote is Knot DNS or NSD, and has been configured with a notify acl containing a key,
then, if I recall correctly, it will ignore an unsigned NOTIFY. If it's BIND, then I
think it doesn't care. So if you're going to remove the key from your
"remote" definition, ensure that the remote will accept your unsigned NOTIFY.