tsig security
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Tue Jul 3 01:10:45 UTC 2001
>
> > Is it possible to implement security such that both a certain IP address an
> d
> > a keyname:secret are authenticated for a nsupdate command. If so how?
> > allow-update works based on IP but tsig wirks based on keys.
> >
>
> Well it's not clear whether you want the acl to perform a
> "and" or a "or" but either is possible.
>
> For IP address 1.2.3.4 and key "mykey".
>
> OR:
> allow-update { 1.2.3.4; key "mykey"; };
>
> AND:
> acl permit { 1.2.3.4; ... };
> acl denied { !denied; };
That should be:
acl denied { !permit; };
> allow-update { !denied; key "mykey"; };
>
> The denied acl may need a "any;" at the end, I'm doing this
> from memory. If there is only one IP address then you can
> collapse the permit into the denied.
>
> Mark
> >
> > Charles A. Bodley
> > Technician
> > TF Logic
> >
> > "It's amazing what you can do with a kind word,
> > provided you've also got a big stick."
> > - Johnny and the Dead
> --
> Mark Andrews, Nominum Inc.
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list