ACL and keys
Mark Damrose
mdamrose at elgin.cc.il.us
Fri Aug 22 12:09:54 UTC 2003
"Ladislav Vobr" <lvobr at ies.etisalat.ae> wrote in message
news:bi4q0e$2tlc$1 at sf1.isc.org...
> Dear Kevin,
>
> I tried it, but not successful. posting my setup....
>
> acl slaves {
> 194.170.1.11;
> };
>
> include "sharedsecret.txt";
>
> acl notslaves { ! slaves; };
>
> options {
> directory "/usr/local/dns/ns0.bind-8.3.6/zones";
> datasize 20M;
> listen-on { 194.170.1.12; };
> allow-transfer { ! notslaves; key tsigkey; };
The order matters. BIND stops checking once it finds a match. In your
list, notslaves matches and is denied without ever checking the key.
I believe you want either
allow-transfer { slaves; key tsigkey; };
which will allow slaves or those with the key (all others denied by
default). or
allow-transfer { key tsigkey; ! notslaves; slaves};
which will allow anybody with the key, deny notslaves if they don't have the
key, and then allow slaves without the key.
>
>
> as I looked at it it simply says allow transfer to clients based on the
> following acls... one is not not slave which is slave and second is
> anybody with the key, that's how it works for me :-(, but I would like
> to see logical AND between the IP acl and the key acl, is this possible?
>
> Ladislav
>
>
> Kevin Darcy wrote:
>
> >Ladislav Vobr wrote:
> >
> >
> >
> >>How can I combine bind IP based acl with key based acl. Something like
> >>only client from this IP and only with this key is allowed in
> >>allow-tranfer {}, allow-update {}...
> >>
> >>
> >
> >http://marc.theaimsgroup.com/?l=bind-users&m=100138737915065&w=2
> >
> >
> >- Kevin
> >
> >
> >
> >
> >
>
>
More information about the bind-users
mailing list