key *, any key, in named.conf
Kevin Darcy
kcd at daimlerchrysler.com
Thu Sep 16 00:06:27 UTC 2004
Stefan de Konink wrote:
>Hello,
>
>
>Currently I'm using 9.3.0RC4 of Bind to run SIG(0) as authentication. I
>finally made it to run SIG(0) on incomming requests. My only future
>problem is this:
>
>At the moment every key that is available in the SIG(0) zone needs to be
>entered 'as key' in the named.conf initial zone configuration.
>I want to know if it is possible to only grant key requests to query that
>specific zone.
>
>allow-query { key testkey; }
>
>Works if it is entered as key, but i want to allow ALL KEYS and only KEYS
>to query. So I was thinking about key *; or something like that, which
>obviously ended in a: query 'localhost/A/IN' denied.
>
What kind of security paradigm are you trying to implement here? Anybody
could sign a query with a bogus key; that's actually a lot easier even
than spoofing a source address.
- Kevin
More information about the bind-users
mailing list