<div dir="ltr">Thanks a lot for your quick response. Your answer is helpful.</div><div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
<tr>
<td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;"></a></td>
<td style="width:470px;padding-top:12px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:#4453ea">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 24, 2021 at 4:22 PM Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Nagesh Thati <<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a>> wrote:<br>
><br>
> Can anyone tell me why I am getting tsig errors and SERVFAIL errors for<br>
> non managed zones? Why named using the "server statement" TSIG key in<br>
> forwarding queries instead of using this TSIG only for ixfr/axfr?<br>
<br>
TSIG is a bit confusing to set up because there are a bunch of options<br>
and the use-cases and pros and cons can be unclear.<br>
<br>
The `server` clause has a grab-bag of options that you can specify about<br>
other nameservers that your server might communicate with for whatever<br>
reason. If you configure a TSIG key in a `server` clause, it is used for<br>
all traffic with that server. (There will normally be a corresponding<br>
config on the other server for traffic in the opposite direction.) It's<br>
convenient to use for traffic between authoritative servers, because it<br>
gives you one place to secure refresh queries, notifies, and zone<br>
transfers. But in a more complicated configuration like yours it can have<br>
an unwanted effect on other traffic.<br>
<br>
Another approach is to configure TSIG for each kind of traffic separately.<br>
More explicit, but more verbose. The way I like to do this is to have<br>
`acl` clauses with helpful names, which can then be used in allow-notify<br>
and allow-transfer options to require TSIG for incoming requests; and<br>
corresponding top-level `primaries` clauses for use in per-zone<br>
`primaries` and/or `also-notify` clauses for outgoing requests. I can put<br>
all this access control stuff into a shared config file used on all my<br>
servers, and the authoritative TSIG stuff will not affect recursive<br>
queries.<br>
<br>
(For example, at Cambridge we have a mutual secondarying arrangement with<br>
Imperial College with TSIG and IPv6 and DNSSEC and all that good stuff;<br>
our recursive servers don't know anything special about the Imperial<br>
zones, and we don't need or want recursive queries between us to use TSIG.<br>
Our recursive servers still have the same shared access control config,<br>
but the Imperial parts are not used there, because none of the zone<br>
clauses refer to the Imperial acl/primaries names.)<br>
<br>
This kind of explicit TSIG configuration doesn't work in all cases: for<br>
instance, you can't specify TSIG keys in the `forwarders` clause, so you<br>
have to use a `server` clause to configure TSIG for forwarding.<br>
<br>
I haven't answered your specific questions because I'm not sure I<br>
understand the details of your setup properly, but I hope this more<br>
general answer is helpful.<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="https://dotat.at/" rel="noreferrer" target="_blank">https://dotat.at/</a><br>
harness technological change to human advantage<br>
<br>
</blockquote></div>