TSIG should be that way??
Ian Watts
ian at radix.net
Fri Mar 9 21:32:12 UTC 2001
Osman,
I recently went through this myself. Thanks to other listers, this
solution was the simplest:
create an acl that blocks your IP address, then block that list for
updates or transfers:
acl slaves { ! xx.xx.xx.2; any; };
then something like:
zone "test.com" {
type master;
file "test.com";
allow-transfer { ! slaves; key shared-secret.; };
};
-- Ian
On Fri, 9 Mar 2001, Osman Shoukry wrote:
> Hi,
>
> I am unable to really understand how the TSIG works, even though I have
> configured it, but here is what I see. I remove the key from the slave, the
> transfer of zones goes through.
> I keep it, the request is signed and the transfer goes through. If I remove
> the TSIG section from the master, then the transfer fails.
>
>
> How do I forbid transfer unless the request is signed AND comming from the
> correct IP (or is that not possible)??
>
> Here is my current config, maybe there is something I am overlooking..
>
>
>
> ========== Master Config
> key shared-secret. {
> algorithm hmac-md5;
> secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
>
> server xx.xx.xx.2 {
> transfer-format many-answers;
> keys { shared-secret. ; };
> };
> acl "slaves" { xx.xx.xx.2; };
> options {
> directory "/var/named";
> allow-transfer { none; };
> pid-file "/var/run/named.pid";
> };
> zone "test.com" {
> type master;
> file "test.com";
> allow-transfer { slaves; };
> };
>
> ========== Slave config
> key shared-secret. {
> algorithm hmac-md5;
> secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> };
> server xx.xx.xx.1 {
> keys { shared-secret. ; };
> };
>
> options {
> directory "/var/named";
> allow-transfer { none; };
> pid-file "/var/run/named.pid";
> };
> zone "test.com" {
> type slave;
> file "test.com";
> masters { xx.xx.xx.1; };
> };
>
> Thank you for any help you can offer,
>
> Osman Shoukry
>
> PS: Please excuse me for reposting this, but I didn't assign a subject, that
> is why I am reposting.
>
>
>
More information about the bind-users
mailing list