nsupdate ACL based on a key AND ip-subnet
Chris Thompson
cet1 at cam.ac.uk
Sun Nov 16 20:58:55 UTC 2008
On Nov 14 2008, blrmaani wrote:
> I use BIND 9.2 on Linux.
Horribly old. But I doubt whether anything has changed in the ACL logic
since then.
> I was experimenting with a feature to allow
>dynamic updates based on
>BOTH the following:
>1. Secret key ( TSIG )
>2. Subnet.
>
>Unfortunately, I realized that we can specify only one of the above in
>allow-update {} ACL.
>If I specify both, it doesn't work as expected.
>
>Question:
>1. Is there a way to achieve this?
[...]
>here is what I'm expecting:
>
>// This should allow update only if the update is from 10/8 subnet AND
>key matches:
>allow-update { key "...." ; 10/8; }
That's an OR on the conditions, as Chris Buxton writes.
But you *can* do what you want, provided you have a copious supply of
iced drinks to keep you calm while trying to work out the consequences
of using negations in ACLs. If I have it right, the following works:
allow-update { !{!10/8;any;}; key update-key; };
You could make the inner {} a named ACL if that makes it clearer.
(I have tested an allow-update similar to the above -- using different
IP addresses -- with BIND 9.4.3rc1.)
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list