Open rgacogne opened 9 months ago
This is something I am also interested in. In my setup, all zones require TSIG keys to AXFR - I can get a secondary to transfer the catalog zone by setting AXFR-MASTER-TSIG
as normal, but then the actual zones don't transfer because PowerDNS doesn't use the TSIG key.
I can work around it by adding the secondaries' IP to allow-axfr-ips
on the primary, but this seems not ideal. Did you find any other way to get zones provisioned through a catalog zone to get the settings you were after?
Not really, I have an ugly solution where a timer is regularly checking all zones to check if the expected meta-data is set, and setting it otherwise. It works well for my use-case but it's really sad to have to do this out-of-band.
Playing about with this a bit more tonight I've got a workaround - its powerfully stupid, but it works; use a database trigger to set the domain metadata when a new row is added to the domains table. I'm using SQLite, but should be straightforward to adapt to PostgreSQL or MySQL:
CREATE TRIGGER set_tsig_key
AFTER INSERT ON domains
WHEN
new.type='SLAVE'
BEGIN
INSERT INTO domainmetadata (domain_id, kind, content) VALUES (new.id, 'AXFR-MASTER-TSIG', 'name-of-key-goes-here');
END;
Short description
BIND defines custom properties for ACL, primaries and TSIG settings: https://bind9.readthedocs.io/en/stable/chapter6.html#catalog-zone-custom-properties and I would like a way to do the same with PowerDNS.
Usecase
My use-case is simple: I want to provision the TSIG keys and ACL to use on the secondaries for the zones learned on the consumer via the catalog zone itself.
I gave it a shot in https://github.com/PowerDNS/pdns/pull/12772 but my implementation did not match the current design.