Need feedback on RPZ service setup
Paul Seward
Paul.Seward at bristol.ac.uk
Thu Jan 5 16:21:30 UTC 2017
On 5 January 2017 at 14:36, Lars Kulseng <larskulseng at gmail.com> wrote:
>
> I wasn't aware that the ACL-clause could include TSIG-keys as well as
> IP-addresses.
>
As I understand it, you have to be careful mixing TSIG keys and IP
addresses within an ACL, as it's "first match wins"
So if you have a key and an IP listed in the same ACL - then anyone with
the key (from any IP), or anyone from that IP (without the key) will match
the ACL, which is unlikely to be what you wanted (presumably you actually
wanted "from this IP, with this key" to be the only matching case)
You can either use the approach you initially suggested, or try and use the
sort of approach listed here:
http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update
It's been a while since I've looked at ACLs though, so if the situation has
changed in more modern versions of bind I'd be very appreciative if people
could point me towards the appropriate docs :)
-Paul
--
----------------------------------------------------------------------
Paul Seward, Senior Systems Administrator, University of Bristol
Paul.Seward at bristol.ac.uk +44 (0)117 39 41148 GPG Key ID: E24DA8A2
GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170105/6023a9e8/attachment.html>
More information about the bind-users
mailing list