ACL and keys

Ladislav Vobr lvobr at ies.etisalat.ae
Fri Aug 22 16:32:50 UTC 2003 

aha, I basically in this example want only 194.170.1.11 but only when it 
has a valid key, then nobody else.... with or without keys or with the 
same or different ip....
thanks for your reply, but I guess still my problem is unresolved, I 
heard it is possible and tried several times with different acls, but 
could not make it working.

Ladislav


Mark Damrose wrote:

>"Ladislav Vobr" <lvobr at ies.etisalat.ae> wrote in message
>news:bi4q0e$2tlc$1 at sf1.isc.org...
>  
>
>>Dear Kevin,
>>
>>    I tried it, but not successful. posting my setup....
>>
>>acl slaves {
>>         194.170.1.11;
>>};
>>
>>include "sharedsecret.txt";
>>
>>acl notslaves { ! slaves; };
>>
>>options {
>>        directory "/usr/local/dns/ns0.bind-8.3.6/zones";
>>        datasize 20M;
>>        listen-on { 194.170.1.12; };
>>        allow-transfer { ! notslaves; key tsigkey; };
>>    
>>
>
>The order matters.  BIND stops checking once it finds a match.  In your
>list, notslaves matches and is denied without ever checking the key.
>
>I believe you want either
>allow-transfer { slaves; key tsigkey; };
>which will allow slaves or those with the key (all others denied by
>default). or
>
>allow-transfer { key tsigkey; ! notslaves; slaves};
>which will allow anybody with the key, deny notslaves if they don't have the
>key, and then allow slaves without the key.
>
>  
>
>>as I looked at it it simply says allow transfer to clients based on the
>>following acls... one is not not slave which is slave and second is
>>anybody with the key, that's how it works for me :-(, but I would like
>>to see logical AND between the IP acl and the key acl, is this possible?
>>
>>Ladislav
>>
>>
>>Kevin Darcy wrote:
>>
>>    
>>
>>>Ladislav Vobr wrote:
>>>
>>>
>>>
>>>      
>>>
>>>>How can I combine bind IP based acl with key based acl. Something like
>>>>only client from this IP and only with this key is allowed in
>>>>allow-tranfer {}, allow-update {}...
>>>>
>>>>
>>>>        
>>>>
>>>http://marc.theaimsgroup.com/?l=bind-users&m=100138737915065&w=2
>>>
>>>
>>>- Kevin
>>>
>>>
>>>
>>>
>>>
>>>      
>>>
>>    
>>
>
>
>  
>

More information about the bind-users mailing list