TSIG and ACL?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Sep 25 13:40:00 UTC 2001
Acls are processed in order. The !notslaves denies any request
other than from slaves, leaving only slaves, which then have to
prove they know the shared secret to actually succeed.
This really is overkill.
Also "acl notslaves { ! slaves; any; };" note the "any;".
Mark
> Thanks for the answer. It seems like a double negative?. Can you explain
> how this works?
> Ted
>
>
> In article <9oosj6$45u at pub3.rc.vix.com>, cricket at nxdomain.com says...
> > > How do I restrict zone transfer to slaves in my ACL and a TSIG key?
> > >
> > > acl slaves {
> > > 192.168.1.1;
> > > 172.16.56.193;
> > > 10.0.0.149;
> > > };
> > >
> > > key "key" {
> > > algorithm hmac-md5;
> > > secret "*********"
> > > };
> >
> > Learned this one from Mark:
> >
> > acl notslaves { ! slaves; };
> >
> > options {
> > allow-transfer { ! notslaves; key key; };
> > };
> >
> > cricket
> >
> > Men & Mice
> > DNS Software & Services
> > www.menandmice.com
> >
> >
> >
> >
> >
> >
>
> --
> Ted Stephens CNE, A+, CCA
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list