Thankyou very much Chris, this worked! --a
On Sat, Jun 12, 2010 at 11:20 PM, Chris Buxton <[email protected]> wrote: > There is a way when using allow-update. I have no idea if this works > with update-policy. It looks something like this: > > allow-update { ! { ! { ip-addrs; }; any; }; key-name; }; > > To understand this, remember that a negative ACL is not the same as > not listing the IP at all. It says, in essence, "Deny anyone we don't > trust, by IP. Then permit requests signed with the right key." > > Regards, > Chris Buxton > BlueCat Networks > > On 6/12/10, Angela Perez <[email protected]> wrote: >> Hi, >> >> I have a question on using signed (TSIG) dynamic updates. My >> understanding is that both allow-update and update-policy allows >> either a host or a key. >> >> Is there any way (or workaround) to make bind only accept dynamic >> updates from a specific host that has the specific key? >> >> The problem I have is I work for a site that want to issue signed >> dynamic updates to an external dns server. Since dynamic updates use >> port 53 and there is no way to control access on the network level, >> I'm looking for a way to convince bind to only accept dynamic updates >> if they originate from a specific host *and* are signed with the >> specific key. >> >> Thankyou for taking the time to read my message, >> --a >> _______________________________________________ >> bind-users mailing list >> [email protected] >> https://lists.isc.org/mailman/listinfo/bind-users >> > > -- > Sent from my mobile device > _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
