search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.48k stars 431 forks source link

Server Insists on Using Old TSIG Key #653

Closed gareththered closed 1 year ago

gareththered commented 1 year ago

I have two Technitium DNS servers, one primary and the other secondary (both now at v 11.2), where the primary uses a zone transfer to push records to the secondary. This is protected by a TSIG key.

I've changed TSIG keys, but the secondary still thinks it should use the original.

The TSIG key has been replaced on Settings > TSIG on both servers. The original tsig-key has been deleted, and a replacement key1 added.

On the zone of the primary server, I've set it to notify the secondary by IP address.

One the zone of the secondary server, I've set Zone Transfer to Accept, and selected the key1 TSIG key.

I've restarted both servers.

Clicking on Resync on the zone on the secondary server results in Sync Failed, and on the secondary's logs, I still see:

[2023-06-06 20:58:53 UTC] DNS Server does not have TSIG key 'tsig-key' configured for refreshing secondary zone: <myRedactedDomain>.me.uk

It seems its expecting the original TSIG key. I've looked everywhere on both servers, and can find no mention of tsig-key since deleting it, so I'm not sure where its getting this from.

ShreyasZare commented 1 year ago

Thanks for the details. The primary and secondary zone both needs you to specify which TSIG key needs to be used from the available keys you have configured in the Settings > TSIG section. So now that you need to change the key, you need to edit both the primary and secondary zone so that they new key will be used.

For primary zone, go into the Zone Options and scroll down in the Zone Transfer tab. Here you need to specify the new key name for "Zone Transfer TSIG Key Names".

For secondary zone, edit the SOA record, scroll down a bit and change the "TSIG Key Name" to use the new key.

Once its done, the zone transfer will work using the new TSIG key. Let me know if you have any issues with the config,

gareththered commented 1 year ago

I've found the culprit.

The key is also configured in the Secondary zone's SOA record. That begs the question of why is it in both the SOA and in Options > Zone Transfer?

Anyway, after a restart of the service, it now works.

ShreyasZare commented 1 year ago

I've found the culprit.

The key is also configured in the Secondary zone's SOA record. That begs the question of why is it in both the SOA and in Options > Zone Transfer?

Secondary zones can also respond to zone transfer requests just like primary zones. So you can have a scenario where one secondary zone updates via another secondary zone.

Which is why the downstream zone transfer options are kept as metadata in the SOA record where the primary server's address is already present.

Anyway, after a restart of the service, it now works.

Just a small note: restarting the service is not required for any of the config changes. All changes are applied immediately but certain tasks which are timer based will trigger only when the time elapses.