To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its master(s), set the AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used.
The actual TSIG key must also be provisioned, as outlined in the previous section.
For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows:
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); sql> select id from domains where name='powerdnssec.org'; 5 sql> insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test');
This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section.
In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements:
key test. { algorithm hmac-md5; secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; }; server 127.0.0.1 { keys { test.; }; }; zone "powerdnssec.org" { type slave; masters { 127.0.0.1; }; file "powerdnssec.org"; };
Except that in this case, TSIG will be used for all communications with the master, not just those about AXFR requests.