Cannot force TSIG on AXFR zone transfers.

[erisk-id]

Env:
Primary: PowerDNS 4.9.4 + AlmaLinux 9.5 192.168.182.20
Secondary: PowerDNS 4.9.4 + Rocky Linux 9.5 192.168.182.16

Hello.
I am testing AXFR zone transfers using TSIG keys between PowerDNS.

The primary zone is created using PowerDNS-Admin.

On the Primary server I have configured it by entering the following commands.

# pdnsutil generate-tsig-key axfr_notify hmac-sha512
# pdnsutil activate-tsig-key test.example.com. axfr_notify primary
# pdnsutil activate-tsig-key 182.168.192.in-addr.arpa. axfr_notify primary
# pdnsutil set-meta test.example.com. allow-axfr-from 192.168.182.16
# pdnsutil set-meta 182.168.192.in-addr.arpa. ALLOW-AXFR-FROM 192.168.182.16

On the Secondary server, the following command was used to configure.

# pdnsutil create-secondary-zone test.example.com. 192.168.182.20
# pdnsutil create-secondary-zone 182.168.192.in-addr.arpa. 192.168.182.20
# pdnsutil import-tsig-key axfr_notify hmac-sha512 <TSIG Key>
# pdnsutil activate-tsig-key test.example.com. axfr_notify secondary
# pdnsutil activate-tsig-key 182.168.192.in-addr.arpa. axfr_notify secondary
# pdnsutil set-meta test.example.com. axfr-source 192.168.182.16
# pdnsutil set-meta 182.168.192.in-addr.arpa. AXFR-SOURCE 192.168.182.16

In practice, PowerDNS-to-PowerDNS zone transfers work well.

pdns pdns_server[1736]: AXFR-out zone '182.168.192.in-addr.arpa', client '192.168.182.16:34961', transfer initiated
pdns pdns_server[1736]: AXFR-out zone '182.168.192.in-addr.arpa', client '192.168.182.16:34961', allowed: TSIG signed request with authorized key 'axfr_notify' and algorithm 'hmac-sha512'
pdns pdns_server[1736]: AXFR-out zone 'test.example.com', client '192.168.182.16:40105', transfer initiated
pdns pdns_server[1736]: AXFR-out zone 'test.example.com', client '192.168.182.16:40105', allowed: TSIG signed request with authorized key 'axfr_notify' and algorithm 'hmac-sha512'

Mar 21 17:58:40 localhost.localdomain pdns_server[3767]: Received secure NOTIFY for 182.168.192.in-addr.arpa from 192.168.182.20, with TSIG key 'axfr_notify'
Mar 21 17:58:40 localhost.localdomain pdns_server[3767]: Received secure NOTIFY for test.example.com from 192.168.182.20, with TSIG key 'axfr_notify'
Mar 21 17:58:40 localhost.localdomain pdns_server[3767]: Received NOTIFY for test.example.com from 192.168.182.20 - queueing check
Mar 21 17:58:40 localhost.localdomain pdns_server[3767]: Received NOTIFY for 182.168.192.in-addr.arpa from 192.168.182.20 - queueing check
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: Freshness check source (AXFR-SOURCE) for domain '182.168.192.in-addr.arpa' set to 192.168.182.16
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: Freshness check source (AXFR-SOURCE) for domain 'test.example.com' set to 192.168.182.16
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: 2 secondary domains need checking, 0 queued for AXFR
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: Received serial number updates for 2 zones
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: Domain '182.168.192.in-addr.arpa' is stale, primary 192.168.182.20 serial 2025032115, our serial 2025032114
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', initiating transfer
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: Domain 'test.example.com' is stale, primary 192.168.182.20 serial 2025032106, our serial 2025032105
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: 'test.example.com', primary: '192.168.182.20', initiating transfer
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', xfr source set to 192.168.182.16
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: 'test.example.com', primary: '192.168.182.20', xfr source set to 192.168.182.16
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', starting AXFR
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: XFR-in zone: 'test.example.com', primary: '192.168.182.20', starting AXFR
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone '182.168.192.in-addr.arpa', primary '192.168.182.20', retrieval started
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', retrieval finished
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone 'test.example.com', primary '192.168.182.20', retrieval started
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', storage transaction started
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: 'test.example.com', primary: '192.168.182.20', retrieval finished
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: 'test.example.com', primary: '192.168.182.20', storage transaction started
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: '182.168.192.in-addr.arpa', primary: '192.168.182.20', zone committed with serial 2025032115
Mar 21 17:58:41 localhost.localdomain pdns_server[3767]: AXFR-in zone: 'test.example.com', primary: '192.168.182.20', zone committed with serial 2025032106

However, when I checked using the dig command, I found that zone transfers were taking place even without TSIG keys.

# dig test.example.com. @192.168.182.20 axfr

; <<>> DiG 9.16.23-RH <<>> test.example.com. @192.168.182.20 axfr
;; global options: +cmd
test.example.com.       3600    IN      SOA     pdns.test.example.com. hostmaster.test.example.com. 2025032401 10800 3600 604800 3600
kea.test.example.com.   3600    IN      A       192.168.182.25
lm-ad-web.test.example.com. 28800 IN    A       192.168.182.29
lm-ad-web.test.example.com. 28800 IN    DHCID   <DHCID>
pdns-s.test.example.com. 3600   IN      A       192.168.182.16
pdns.test.example.com.  3600    IN      A       192.168.182.20
prec.test.example.com.  3600    IN      A       192.168.182.21
test.example.com.       3600    IN      NS      pdns.test.example.com.
test.example.com.       3600    IN      NS      pdns-s.test.example.com.
test.example.com.       3600    IN      SOA     pdns.test.example.com. hostmaster.test.example.com. 2025032401 10800 3600 604800 3600
;; Query time: 35 msec
;; SERVER: 192.168.182.20#53(192.168.182.20)
;; WHEN: Mon Mar 24 16:48:41 JST 2025
;; XFR size: 10 records (messages 3, bytes 425)

# dig 182.168.192.in-addr.arpa. @192.168.182.20 axfr

; <<>> DiG 9.16.23-RH <<>> 182.168.192.in-addr.arpa. @192.168.182.20 axfr
;; global options: +cmd
182.168.192.in-addr.arpa. 3600  IN      SOA     pdns.test.example.com. hostmaster.182.168.192.in-addr.arpa. 2025032401 10800 3600 604800 3600
16.182.168.192.in-addr.arpa. 3600 IN    PTR     pdns-s.test.example.com.
182.168.192.in-addr.arpa. 3600  IN      NS      pdns-s.test.example.com.
182.168.192.in-addr.arpa. 3600  IN      NS      pdns.test.example.com.
20.182.168.192.in-addr.arpa. 3600 IN    PTR     pdns.test.example.com.
21.182.168.192.in-addr.arpa. 3600 IN    PTR     prec.test.example.com.
25.182.168.192.in-addr.arpa. 3600 IN    PTR     kea.test.example.com.
29.182.168.192.in-addr.arpa. 28800 IN   DHCID   <DHCID>
29.182.168.192.in-addr.arpa. 28800 IN   PTR     lm-ad-web.test.example.com.
182.168.192.in-addr.arpa. 3600  IN      SOA     pdns.test.example.com. hostmaster.182.168.192.in-addr.arpa. 2025032401 10800 3600 604800 3600
;; Query time: 37 msec
;; SERVER: 192.168.182.20#53(192.168.182.20)
;; WHEN: Mon Mar 24 16:39:01 JST 2025
;; XFR size: 10 records (messages 3, bytes 502)

I think I have followed the setup as per the reference.
I was able to force the use of TSIG with a similar procedure for DDNS settings, but is there another procedure required for AXFR?

pdns.conf (primary)

version-string=anonymous

daemon=no
guardian=no

launch=gpgsql
gpgsql-host=127.0.0.1
gpgsql-port=5432
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-password=<DB_password>

setgid=pdns
setuid=pdns

api=yes
api-key=<API_key for PowerDNS-Admin>

loglevel=6
log-dns-details=yes

primary=yes

dnsupdate=yes
allow-dnsupdate-from=192.168.182.25/32

pdns.conf(secondary)

version-string=anonymous

allow-notify-from=192.168.182.20
secondary=yes
allow-unsigned-notify=no

daemon=no
guardian=no

launch=gpgsql
gpgsql-host=127.0.0.1
gpgsql-port=5432
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-password=pdns

setgid=pdns
setuid=pdns

loglevel=6
log-dns-details=yes

TSIG Keys list(primary)

# pdnsutil list-tsig-keys
Mar 24 16:30:27 gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
Mar 24 16:30:27 gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
axfr_notify. hmac-sha512. <TSIG Key>
test. hmac-sha512. <TSIG Key>

secondary

# pdnsutil list-tsig-keys
Mar 24 16:30:54 gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
Mar 24 16:30:54 gpgsql Connection successful. Connected to database 'pdns' on '127.0.0.1'.
axfr_notify. hmac-sha512. <TSIG Key same as master's axfr_notify.>

domainmetadata table(primary)

pdns=> select * from domainmetadata;
 id | domain_id |         kind         |    content
```-+`````````--+`````````````````````-+```````````````-
  2 |         1 | SOA-EDIT-API         | DEFAULT
  4 |         2 | SOA-EDIT-API         | DEFAULT
  5 |         1 | TSIG-ALLOW-AXFR      | axfr_notify
  6 |         2 | TSIG-ALLOW-AXFR      | axfr_notify
  7 |         1 | ALLOW-AXFR-FROM      | 192.168.182.16
  8 |         2 | ALLOW-AXFR-FROM      | 192.168.182.16
  9 |         1 | TSIG-ALLOW-DNSUPDATE | test
 10 |         2 | TSIG-ALLOW-DNSUPDATE | test

secondary

pdns=> select * from domainmetadata;
 id | domain_id |       kind       |    content
```-+`````````--+``````````````````+```````````````-
  9 |         5 | AXFR-MASTER-TSIG | axfr_notify
 10 |         6 | AXFR-MASTER-TSIG | axfr_notify
 11 |         5 | AXFR-SOURCE      | 192.168.182.16
 12 |         6 | AXFR-SOURCE      | 192.168.182.16

[erisk-id]

Self resolved.
I found that execting

pdnsutil set-meta <zone> allow-axfr-from <secondary_ip> 

would cause the zone transfer to be performed without TSIG if from that secondary ip address.
Since it is not allow-axfr-ips, I thought this setting would use both IP ACL and TSIG Key.
I was able to force TSIG usage by removing this zone metadata.
I am now aware that PowerDNS does not able to use TSIG keys + IP ACLs to coexist.

For my imagined setup, I would probably need to use dnsdist.

Thank you.