nsupdate ACL based on a key AND ip-subnet
blrmaani
blrmaani at gmail.com
Thu Dec 25 23:31:57 UTC 2008
Did anyone try restricting nsupdate by using tcp-wrappers? I heard
that we can restrict nsupdate using tcp-wrapper
Anyone tried this?
cheers
Maani
On Nov 17, 9:06 pm, "Jonathan Petersson" <jpeters... at garnser.se>
wrote:
> --===============7939338197629145746==
> Content-Type: multipart/alternative;
> boundary="----=_Part_36617_8743902.1226973981518"
>
> ------=_Part_36617_8743902.1226973981518
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> Guess I should start digging in the code then :)
>
>
>
> On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt <Evan_H... at isc.org> wrote:
> > > IIRC update-policy cannot be used in congestion with the allow-update
> > > statement.
>
> > My bad--you're right. There's code I'd never noticed before that says
> > allow-update will be ignored if update-policy is set. Whoops.
>
> > (Oddly, the check only applies when both of them are defined in the
> > zone itself. You can put "allow-updates" in the view options and
> > "update-policy" in the zone, and named won't complain about it...
> > but it also won't work the way you want it to.)
>
> > I don't know why it was implemented this way--there's no protocol reason
> > I can see. (There may be other reasons I don't know about.) It's probably
> > not a high enough priority for ISC to devote engineering resources to it at
> > this time, but if someone submitted a patch that added an ACL check to the
> > update-policy syntax, I'm sure we'd consider it.
>
> > --
> > Evan Hunt -- evan_h... at isc.org
> > Internet Systems Consortium, Inc.
>
> ------=_Part_36617_8743902.1226973981518
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> Guess I should start digging in the code then :)<br><br><div class="gmail_quote">On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt <span dir="ltr"><<a href="mailto:Evan_H... at isc.org">Evan_H... at isc.org</a>></span> wrote:<br>
> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">> IIRC update-policy cannot be used in congestion with the allow-update<br>
>
> > statement.<br>
> <br>
> </div>My bad--you're right. There's code I'd never noticed before that says<br>
> allow-update will be ignored if update-policy is set. Whoops.<br>
> <br>
> (Oddly, the check only applies when both of them are defined in the<br>
> zone itself. You can put "allow-updates" in the view options and<br>
> "update-policy" in the zone, and named won't complain about it...<br>
> but it also won't work the way you want it to.)<br>
> <br>
> I don't know why it was implemented this way--there's no protocol reason<br>
> I can see. (There may be other reasons I don't know about.) It's probably<br>
> not a high enough priority for ISC to devote engineering resources to it at<br>
> this time, but if someone submitted a patch that added an ACL check to the<br>
> update-policy syntax, I'm sure we'd consider it.<br>
> <div><div></div><div class="Wj3C7c"><br>
> --<br>
> Evan Hunt -- <a href="mailto:evan_h... at isc.org">evan_h... at isc.org</a><br>
> Internet Systems Consortium, Inc.<br>
> </div></div></blockquote></div><br>
>
> ------=_Part_36617_8743902.1226973981518--
>
> --===============7939338197629145746==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-us... at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
> --===============7939338197629145746==--
More information about the bind-users
mailing list