TSIG should be that way??

Fri Mar 9 21:42:57 UTC 2001

Ian,

Thank you, but I was just checking the logistics of what you sent,
this is an "Or" allow-transfer, not an AND logic.
I was really hoping for something that can give an AND logic.
What you sent, allows transfer IF you have the key, OR you are slave.
it's actually less restrictive than my config, and I was looking into making
it MORE restrictive.

Thank you,

-----Original Message-----
From: Ian Watts [mailto:ian at Radix.Net]
Sent: Friday, March 09, 2001 1:32 PM
To: Osman Shoukry
Cc: bind-users at isc.org
Subject: Re: TSIG should be that way??

Osman, 

I recently went through this myself.  Thanks to other listers, this
solution was the simplest:

create an acl that blocks your IP address, then block that list for
updates or transfers:

acl slaves { ! xx.xx.xx.2; any; };

then something like:

zone "test.com" {
       type master;
       file "test.com";
       allow-transfer { ! slaves; key shared-secret.; };
};

-- Ian

On Fri, 9 Mar 2001, Osman Shoukry wrote:

> Hi,
> 
> I am unable to really understand how the TSIG works, even though I have
> configured it, but here is what I see. I remove the key from the slave,
the
> transfer of zones goes through.
> I keep it, the request is signed and the transfer goes through.  If I
remove
> the TSIG section from the master, then the transfer fails.
> 
> 
> How do I forbid transfer unless the request is signed AND comming from the
> correct IP (or is that not possible)??
> 
> Here is my current config, maybe there is something I am overlooking..
> 
> 
> 
> ==========  Master Config
> key shared-secret. {
>         algorithm hmac-md5;
>         secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
> 
> server xx.xx.xx.2 {
>         transfer-format many-answers;
>         keys { shared-secret. ; };
> };
> 	acl "slaves" { xx.xx.xx.2; };
> 	options {
>         directory "/var/named";
>         allow-transfer { none; };
>         pid-file "/var/run/named.pid";
> };
> 	zone "test.com" {
>         type master;
>         file "test.com";
>         allow-transfer { slaves; };
> };
> 
> 	========== Slave config
> 	key shared-secret. {
>         algorithm hmac-md5;
>         secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
> 	server xx.xx.xx.1 {
>         keys { shared-secret. ; };
> };
> 
> options {
>         directory "/var/named";
>         allow-transfer { none; };
>         pid-file "/var/run/named.pid";
> };
> 	zone "test.com" {
>         type slave;
>         file "test.com";
>         masters { xx.xx.xx.1; };
> };
> 
> Thank you for any help you can offer,
> 
> Osman Shoukry
> 
> PS: Please excuse me for reposting this, but I didn't assign a subject,
that
> is why I am reposting.
> 
> 
> 