Thankyou very much Chris, this worked! --a
On Sat, Jun 12, 2010 at 11:20 PM, Chris Buxton <chris.p.bux...@gmail.com> wrote: > There is a way when using allow-update. I have no idea if this works > with update-policy. It looks something like this: > > allow-update { ! { ! { ip-addrs; }; any; }; key-name; }; > > To understand this, remember that a negative ACL is not the same as > not listing the IP at all. It says, in essence, "Deny anyone we don't > trust, by IP. Then permit requests signed with the right key." > > Regards, > Chris Buxton > BlueCat Networks > > On 6/12/10, Angela Perez <perez.ange...@googlemail.com> wrote: >> Hi, >> >> I have a question on using signed (TSIG) dynamic updates. My >> understanding is that both allow-update and update-policy allows >> either a host or a key. >> >> Is there any way (or workaround) to make bind only accept dynamic >> updates from a specific host that has the specific key? >> >> The problem I have is I work for a site that want to issue signed >> dynamic updates to an external dns server. Since dynamic updates use >> port 53 and there is no way to control access on the network level, >> I'm looking for a way to convince bind to only accept dynamic updates >> if they originate from a specific host *and* are signed with the >> specific key. >> >> Thankyou for taking the time to read my message, >> --a >> _______________________________________________ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > -- > Sent from my mobile device > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users