match-clients and TSIG keys

Adam Clark Adam.Clark at ngv.vic.gov.au
Fri Sep 10 06:03:34 UTC 2004 

Please validate my train of thought.

I am trying to implement a Master-Slave configuration in
A DMZ with internal and external views.  The Master is setup
And working well, now it is time for the slave to tranfer
The zones down.  But as you know, the same IP cannot see the
Two views to tranfer them both.  So after a bit of thinking
I thought it would work by using TSIG keys to identify the=20
Appropriate zone to transfer.

According to the bind9arm:
  The addition of the key clause made the name of this syntactic element
something of a misnomer, since
  security keys can be used to validate access without regard to a host
or network address. Nonetheless, the
  term "address match list" is still used throughout the documentation.

I take that as meaning:
If I use no ip based acl's to identify views, but only a valid TSIG key,
I should
Be able to see what the TSIG key is entitled to.

The below configuration should work ok given used with the appropriate
key with dig
I should be able to query and transfer the appropriate zone dependant on
the
Key I use.

key axfr-int {
      ..
	..
};

key axfr-ext {
      ..
	..
};

view "internal-in" in {
	match-clients { key axfr-int; };

	zone domain.com {
		allow-query { any; };
	};
};

view "external-in" in {
	match-clients { key axfr-ext; };
	zone domain.com {
		allow-query { any; };
	};
};

But if I run dig, I get an entry in the log:
dig @localhost -k Kaxfr-int.+157+50739.private domain.com
Sep 10 15:55:18.810 client 127.0.0.1#32901: no matching view in class
'IN'

Whereas if I change the config to this:

view "internal-in" in {
	match-clients { 127.0.0.1; };

	zone domain.com {
		allow-query { key axfr-int; };
	};
};

view "external-in" in {
	match-clients { any; };
	zone domain.com {
		allow-query { key axfr-ext; };
	};
};

I can only query when I use the TSIG keys, which is what I expected.
So my keys are valid and my methodology seems sound, but match-clients
Seems to be the missing part of the puzzle.


To me, this seems that when the view for the client is determined, it
only
Looks at the originating IP and does not take into account any TSIG key
In the request.  This would make the statement in the ARM incomplete.

Adam

More information about the bind-users mailing list