ACL and keys
Ladislav Vobr
lvobr at ies.etisalat.ae
Fri Aug 22 16:32:50 UTC 2003
aha, I basically in this example want only 194.170.1.11 but only when it
has a valid key, then nobody else.... with or without keys or with the
same or different ip....
thanks for your reply, but I guess still my problem is unresolved, I
heard it is possible and tried several times with different acls, but
could not make it working.
Ladislav
Mark Damrose wrote:
>"Ladislav Vobr" <lvobr at ies.etisalat.ae> wrote in message
>news:bi4q0e$2tlc$1 at sf1.isc.org...
>
>
>>Dear Kevin,
>>
>> I tried it, but not successful. posting my setup....
>>
>>acl slaves {
>> 194.170.1.11;
>>};
>>
>>include "sharedsecret.txt";
>>
>>acl notslaves { ! slaves; };
>>
>>options {
>> directory "/usr/local/dns/ns0.bind-8.3.6/zones";
>> datasize 20M;
>> listen-on { 194.170.1.12; };
>> allow-transfer { ! notslaves; key tsigkey; };
>>
>>
>
>The order matters. BIND stops checking once it finds a match. In your
>list, notslaves matches and is denied without ever checking the key.
>
>I believe you want either
>allow-transfer { slaves; key tsigkey; };
>which will allow slaves or those with the key (all others denied by
>default). or
>
>allow-transfer { key tsigkey; ! notslaves; slaves};
>which will allow anybody with the key, deny notslaves if they don't have the
>key, and then allow slaves without the key.
>
>
>
>>as I looked at it it simply says allow transfer to clients based on the
>>following acls... one is not not slave which is slave and second is
>>anybody with the key, that's how it works for me :-(, but I would like
>>to see logical AND between the IP acl and the key acl, is this possible?
>>
>>Ladislav
>>
>>
>>Kevin Darcy wrote:
>>
>>
>>
>>>Ladislav Vobr wrote:
>>>
>>>
>>>
>>>
>>>
>>>>How can I combine bind IP based acl with key based acl. Something like
>>>>only client from this IP and only with this key is allowed in
>>>>allow-tranfer {}, allow-update {}...
>>>>
>>>>
>>>>
>>>>
>>>http://marc.theaimsgroup.com/?l=bind-users&m=100138737915065&w=2
>>>
>>>
>>>- Kevin
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>
>
More information about the bind-users
mailing list