correct syntax for TSIG & IP restrictions for named-ACL versus just IP?

Sten Carlsen stenc at s-carlsen.dk
Sun Dec 5 18:16:02 UTC 2010 

Given that you control your key distribution correctly and safely, would
the following work?

allow-transfer { key key-slave-1; key key-slave-2; };


Only relevant slaves have the various keys, so do you need to have the
IPs mentioned here?


On 05/12/10 18:10, pgngw+dev001+bind-users at f-m.fm wrote:
> i've bind9 running as a primaryhost to a number of bind-andb-other
> slaves.
>
> i'm trying to set up to use different TSIG keys with different
> secondaries.
>
> in my named.conf, i've
>
> 	...
> 	acl acl_slave_1 { 1.1.1.1; };
> 	acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
> 	...
> 	zone "test.com" {
> 	type master; file "/master/test.com.hosts";
> 	allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
> 	!{!acl_slave_2;}; key key-slave-2; }; };
> 	allow-update { none; };
> 	};
> 	...
> 	key "key-slave-1" { algorithm hmac-md5; secret "Cf...g=="; };
> 	key "key-slave-2" { algorithm hmac-md5; secret "rl...8=="; };
>
> in this conf, IXFR to 1.1.1.1 with TSIG works as expected.  but, *NO*
> IXFR occurs to any slave in acl_slave_2{}.
>
> if, however, I change to
>
> 	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
> 	!{!acl_slave_2;}; key key-slave-2; }; };
> 	+++     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
> 	!{!2.2.2.2;}; key key-slave-2; }; };
>
> IXFR to 1.1.1.1 & 2.2.2.2 both occur OK with TSIG.
>
> also, with
>
> 	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
> 	!{!acl_slave_2;}; key key-slave-2; }; };
> 	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
> 	acl_slave_2; };
>
> IXFR to 1.1.1.1 with TSIG & to all slaves in acl_slave_2{}, without
> TSIG, both occur OK.
>
> what's the right syntax for enabling IXFR to the entire TSIG- &
> IP-restricted set of hosts in acl_slave_2{}?
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101205/5f32202e/attachment.html>

More information about the bind-users mailing list