View selection via TSIG
Josh Paetzel
josh at tcbug.org
Wed Aug 19 23:48:47 UTC 2009
On Aug 19, 2009, at 6:30 PM, Mark Andrews wrote:
>>
>> Thanks. That worked, and I was quickly able to see what I was doing
>> wrong. My primary nameserver was matching an IP in one of the
>> views. So all the notifies were seen by slave as being in that one
>> view. IPs override keys.
>
> Acl matches are order sensitive. The !key is in the examples to
> prevent
> the signed message matching the view and moving onto the next one.
Ok, that makes even more sense. I was getting what appeared to be
very non-deterministic behavior, but well, of course, once you know
the rules it makes a lot of sense.
In my case with multiple views and multiple keys..
{ subnet A; key A;};
{ subnet B; key B;};
{subnet C; key C;};
{subnet D; key D}:
If the server was in subnet C, and used key A or B it would work fine,
but just by coincidence. Key C would work too, once again, by
coincidence...but key D...boom.
Anyways, it's working great now. Thanks to everyone who helped.
Thanks,
Josh Paetzel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090819/bcdce5ce/attachment.html>
More information about the bind-users
mailing list