Views, Zones, keys (2)

Kevin Darcy kcd at daimlerchrysler.com
Fri May 26 21:16:23 UTC 2006 

Read RFC 2845, Section 3.2

                                                                         
   - Kevin

Badbanchi Hossein wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A friendly list member suggested that I have a look at the man page
> of nsupdate.
>
> I did!
>
> According to the man page, one of the nsupdate commands is of the form:
>        key name secret
>               Specifies that all updates are to  be  TSIG  signed
>               using  the keyname keysecret pair.  The key command
>               overrides any key specified on the command line via
>               -y or -k.
>
> Because of the match-clients statement of the view, and the allow-update
> statement of the zone, I suppose my updates should be TSIG signed using
> two keyname keysecret pairs. Right?
>
> Can I have multiple "key name secret" commands in one nsupdate run?
>
> And if yes, will my updates be TSIG signed using all those
> keyname keysecret pairs?
>
> Thanks for any help.
>
> Regards,
> Amir
>
> - -----Original Message-----
> From: Badbanchi Hossein 
> Sent: Friday, May 26, 2006 15:11
> To: 'bind-users at isc.org'
> Subject: Views, Zones, keys (2)
>
> Hi,
> Please imagine the following (Split DNS) scenario:
> named.conf contains two views with "match-clients" and/or "match-destinations"
> with "address_match_lists" only using "key" statements (no IP Address based
> "address_match_lists"). Each view has its own key.
>
> Each view contains a zone (say example.org) with different content.
>
> These two zones have their own "allow-update" statements each with a separate
> key. Again no IP based ACLs.
>
> My question is:
> How can "nsupdate" program (running from one machine) send updates to each of
> the above zones using TSIG keys?
>
> Thanks for any help.
>
> Regards,
> Amir
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 2.0.6
>
> iQEVAwUBRHc0IoqQ1fmNw3HFAQLHCQf7BkAGCtJbD0Z9aMChIOTO9QLGuxpQeTTy
> m2A/KTO4yv+6yh6aTvze5UkmpA9vU15ijkpGrYMTuQM+mqXzLz4Z/zYkn6RAmm9b
> ZLygvACwRdNkHOcnvRc4KCFA3NwuxvmDbdSaYjBMLAwqnYoCS5zRs3OLzvvDsGO8
> dClQaV/cZuz6UYPVBQ8DAiPw1TwitxwWXItaLdEzcHE+kqgoAeR5sRmScmB2eFgs
> Yr+DQHMrBIMEqFaZ+Hp1F07p7oWFkxmry3RrjDQkd0vLK772gLnO0YpyjZyHx0ap
> Rq+NSCLQK1VE0h/d1SZzVHT8Gd8LenCIPU5RG9zY7dsXiwek24TVAQ==
> =4Xc2
> -----END PGP SIGNATURE-----
>
>
>
>
>
>

More information about the bind-users mailing list