tsig security
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Tue Jul 3 01:09:17 UTC 2001
> Is it possible to implement security such that both a certain IP address and
> a keyname:secret are authenticated for a nsupdate command. If so how?
> allow-update works based on IP but tsig wirks based on keys.
>
Well it's not clear whether you want the acl to perform a
"and" or a "or" but either is possible.
For IP address 1.2.3.4 and key "mykey".
OR:
allow-update { 1.2.3.4; key "mykey"; };
AND:
acl permit { 1.2.3.4; ... };
acl denied { !denied; };
allow-update { !denied; key "mykey"; };
The denied acl may need a "any;" at the end, I'm doing this
from memory. If there is only one IP address then you can
collapse the permit into the denied.
Mark
>
> Charles A. Bodley
> Technician
> TF Logic
>
> "It's amazing what you can do with a kind word,
> provided you've also got a big stick."
> - Johnny and the Dead
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list