nsupdate ACL based on a key AND ip-subnet
Chris Buxton
cbuxton at menandmice.com
Sat Nov 15 01:35:19 UTC 2008
On Nov 14, 2008, at 12:40 PM, blrmaani wrote:
> All,
> I use BIND 9.2 on Linux. I was experimenting with a feature to allow
> dynamic updates based on
> BOTH the following:
> 1. Secret key ( TSIG )
> 2. Subnet.
>
> Unfortunately, I realized that we can specify only one of the above in
> allow-update {} ACL.
> If I specify both, it doesn't work as expected.
>
> Question:
> 1. Is there a way to achieve this?
Use a firewall (with deep packet inspection) to restrict by subnet.
Then use the TSIG key in the allow-update statement.
Unfortunately, to my knowledge, that's the only way to do this.
> 2. Is this feature part of BIND 9.3, 9.4, 9.5 or 9.6 ( I haven't found
> anything related to this in the documentation
> for these versions. )
No. The first item in the list that matches, matches. No other entry
is considered.
> 3. If it is already supported in BIND 9.2, I'd appreciate if anyone
> can point me to the right documentation.
>
> here is what I'm expecting:
>
> // This should allow update only if the update is from 10/8 subnet AND
> key matches:
> allow-update { key "...." ; 10/8; }
An ACL in BIND is an "or" list - the packet being filtered only has to
pass any one test in the list.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list