Question on allow-update and update-policy
Angela Perez
perez.angela7 at googlemail.com
Mon Jun 14 20:55:12 UTC 2010
Thankyou very much Chris, this worked!
--a
On Sat, Jun 12, 2010 at 11:20 PM, Chris Buxton <chris.p.buxton at gmail.com> wrote:
> There is a way when using allow-update. I have no idea if this works
> with update-policy. It looks something like this:
>
> allow-update { ! { ! { ip-addrs; }; any; }; key-name; };
>
> To understand this, remember that a negative ACL is not the same as
> not listing the IP at all. It says, in essence, "Deny anyone we don't
> trust, by IP. Then permit requests signed with the right key."
>
> Regards,
> Chris Buxton
> BlueCat Networks
>
> On 6/12/10, Angela Perez <perez.angela7 at googlemail.com> wrote:
>> Hi,
>>
>> I have a question on using signed (TSIG) dynamic updates. My
>> understanding is that both allow-update and update-policy allows
>> either a host or a key.
>>
>> Is there any way (or workaround) to make bind only accept dynamic
>> updates from a specific host that has the specific key?
>>
>> The problem I have is I work for a site that want to issue signed
>> dynamic updates to an external dns server. Since dynamic updates use
>> port 53 and there is no way to control access on the network level,
>> I'm looking for a way to convince bind to only accept dynamic updates
>> if they originate from a specific host *and* are signed with the
>> specific key.
>>
>> Thankyou for taking the time to read my message,
>> --a
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> --
> Sent from my mobile device
>
More information about the bind-users
mailing list