ACL and keys

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Aug 26 23:48:55 UTC 2003 

> 
> "Ladislav Vobr" <lvobr at ies.etisalat.ae> wrote in message
> news:bi5hgg$euh$1 at sf1.isc.org...
> > thanks for the info, I found the link with Mark's comment. Kevin posted
> > a confusing one, where is no "any" statement in the notslaves acl, which
> > is crutial. btw very elegent solution. I knew address_match_lists are
> > processed in order, but that acl are as well, this a little hidden :-)
> >
> > posting the full link for everybody who is searching.
> >
> > http://marc.theaimsgroup.com/?l=bind-users&m=100142567531837&w=2
> >
> > my tested config now
> >
> > acl slaves {
> >          194.170.1.11;
> > };
> >
> > include "sharedsecret.txt";
> >
> > acl notslaves { ! slaves; any; };
> >
> > options {
> >         directory "/usr/local/dns/ns0.bind-8.3.6/zones";
> >         datasize 20M;
> >         listen-on { 194.170.1.12; };
> >         allow-transfer { ! notslaves; key tsigkey.; };
> >
> > and only 194.170.1.11 and only with TSIG key is allowed.
> >
> > Ladislav
> >
> >
> > Jim Reid wrote:
> >
> > >>>>>>"Ladislav" == Ladislav Vobr <lvobr at ies.etisalat.ae> writes:
> > >>>>>>
> > >>>>>>
> > >
> > >    Ladislav> aha, I basically in this example want only 194.170.1.11
> > >    Ladislav> but only when it has a valid key, then nobody
> > >    Ladislav> else.... with or without keys or with the same or
> > >    Ladislav> different ip....
> > >
> > >An example of how to combine IP addresses with a TSIG key for access
> > >control was posted to this list a few months ago. This explained how
> > >to provide an ACL that requires the client to have an acceptable IP
> > >address AND a valid TSIG key. Consult the list archives.
> > >
> > >
> > >
> >
> >
> Why can't you use
> 
> allow-transfer ( slaves; key tsigkey;};
> 

	That is allow "slaves" *or* allow "key tsigkey".

> ?????
> 
> As ! notslave == slaves

acl slaves {
        194.170.1.11;
};

acl notslaves {
	!slaves; any;
};

allow-transfer { !notslaves; key tsigkey;};

	This deny everyone but slaves then allow those with this key.

	Acls are parsed on a first match basis.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list