correct syntax for TSIG IP restrictions for named-ACL versus just IP?
i've bind9 running as a primaryhost to a number of bind-andb-other slaves. i'm trying to set up to use different TSIG keys with different secondaries. in my named.conf, i've ... acl acl_slave_1 { 1.1.1.1; }; acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; }; ... zone test.com { type master; file /master/test.com.hosts; allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; allow-update { none; }; }; ... key key-slave-1 { algorithm hmac-md5; secret Cf...g==; }; key key-slave-2 { algorithm hmac-md5; secret rl...8==; }; in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO* IXFR occurs to any slave in acl_slave_2{}. if, however, I change to --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; +++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!2.2.2.2;}; key key-slave-2; }; }; IXFR to 1.1.1.1 2.2.2.2 both occur OK with TSIG. also, with --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; acl_slave_2; }; IXFR to 1.1.1.1 with TSIG to all slaves in acl_slave_2{}, without TSIG, both occur OK. what's the right syntax for enabling IXFR to the entire TSIG- IP-restricted set of hosts in acl_slave_2{}? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi, On Sun, 05 Dec 2010 19:16 +0100, Sten Carlsen st...@s-carlsen.dk wrote: Given that you control your key distribution correctly and safely, would the following work? allow-transfer { key key-slave-1; key key-slave-2; }; Only relevant slaves have the various keys, so do you need to have the IPs mentioned here? the goal is to have both IP- key- restrictions in place. fwiw, the orig example i found for this was @: https://lists.isc.org/pipermail/bind-users/2009-April/075985.html thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi, On Sun, 05 Dec 2010 20:57 +, Evan Hunt e...@isc.org wrote: I haven't tested this, but I think it will do what you want: ... allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; this !acl format works, but only in the single ACL case. i.e., allow-transfer { { !notslave1; key key1; }; none; }; allow-transfer { { !notslave2; key key2; }; none; }; both work as expected. but, allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; only enables AXFR to slave1 -- slave2 no longer seems to initiate any transfers, as if it's not getting any notify. still poking around ... I wrote an explanation of BIND ACLs on this list a few years back that you may find helpful in explaining the syntactic insanity: http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html yes, to 'insanity', and yes to 'helpful'. thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users