Question on allow-update and update-policy
Chris Buxton
chris.p.buxton at gmail.com
Sat Jun 12 22:20:22 UTC 2010
There is a way when using allow-update. I have no idea if this works
with update-policy. It looks something like this:
allow-update { ! { ! { ip-addrs; }; any; }; key-name; };
To understand this, remember that a negative ACL is not the same as
not listing the IP at all. It says, in essence, "Deny anyone we don't
trust, by IP. Then permit requests signed with the right key."
Regards,
Chris Buxton
BlueCat Networks
On 6/12/10, Angela Perez <perez.angela7 at googlemail.com> wrote:
> Hi,
>
> I have a question on using signed (TSIG) dynamic updates. My
> understanding is that both allow-update and update-policy allows
> either a host or a key.
>
> Is there any way (or workaround) to make bind only accept dynamic
> updates from a specific host that has the specific key?
>
> The problem I have is I work for a site that want to issue signed
> dynamic updates to an external dns server. Since dynamic updates use
> port 53 and there is no way to control access on the network level,
> I'm looking for a way to convince bind to only accept dynamic updates
> if they originate from a specific host *and* are signed with the
> specific key.
>
> Thankyou for taking the time to read my message,
> --a
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Sent from my mobile device
More information about the bind-users
mailing list