tsig question
raf
bind at raf.org
Fri Aug 20 11:33:01 UTC 2021
Hi,
I want to use TSIG for zone transfers,
only allowing zone transfers to
particular IP addresses if they
possess the TSIG shared secret.
The documentation at:
https://bind9.readthedocs.io/en/latest/advanced.html
has this section:
5.5.4. TSIG-Based Access Control
which gives this relevant but non-obvious example:
allow-update { !{ !localnets; any; }; key host1-host2. ;};
which somehow means localnets *and* possesses the shared secret.
I've found old tutorials online that recommend:
allow-update { key "KEYNAME"; };
Because (they say) including the IP address (no mention
of nested negative boolean logic) allows the transfer
if *either* the address matches *or* the key is known.
To do what I want, do I need to have this:
allow-transfer { !{ !IPADDR; any; }; key KEYNAME; };
where IPADDR is the address(es) of the secondary
(or the name of an acl containing the address(es)
of the secondary)?
And if so, do I really want to? I'd like to, but
that syntax is a bit gross. Maybe I'm being silly.
Maybe I should just rely on the possession of the key.
Thoughts?
cheers,
raf
More information about the bind-users
mailing list