tsig question
raf
bind at raf.org
Fri Aug 20 11:46:46 UTC 2021
On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users <bind-users at lists.isc.org> wrote:
> Hi,
>
> I want to use TSIG for zone transfers,
> only allowing zone transfers to
> particular IP addresses if they
> possess the TSIG shared secret.
>
> The documentation at:
>
> https://bind9.readthedocs.io/en/latest/advanced.html
>
> has this section:
>
> 5.5.4. TSIG-Based Access Control
>
> which gives this relevant but non-obvious example:
>
> allow-update { !{ !localnets; any; }; key host1-host2. ;};
>
> which somehow means localnets *and* possesses the shared secret.
>
> I've found old tutorials online that recommend:
>
> allow-update { key "KEYNAME"; };
>
> Because (they say) including the IP address (no mention
> of nested negative boolean logic) allows the transfer
> if *either* the address matches *or* the key is known.
>
> To do what I want, do I need to have this:
>
> allow-transfer { !{ !IPADDR; any; }; key KEYNAME; };
>
> where IPADDR is the address(es) of the secondary
> (or the name of an acl containing the address(es)
> of the secondary)?
>
> And if so, do I really want to? I'd like to, but
> that syntax is a bit gross. Maybe I'm being silly.
> Maybe I should just rely on the possession of the key.
> Thoughts?
Does this mean what I want?
allow-transfer { !{ !IPADDR; !key KEYNAME; }; };
meaning: not (not ipaddr or not possesses shared secret)
meaning: ipaddr and possess shared secret
cheers,
raf
More information about the bind-users
mailing list