correct syntax for TSIG IP restrictions for named-ACL versus just IP?
i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.
i'm trying to set up to use different TSIG keys with different
secondaries.
in my named.conf, i've
...
acl acl_slave_1 { 1.1.1.1; };
acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
...
zone test.com {
type master; file /master/test.com.hosts;
allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
allow-update { none; };
};
...
key key-slave-1 { algorithm hmac-md5; secret Cf...g==; };
key key-slave-2 { algorithm hmac-md5; secret rl...8==; };
in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO*
IXFR occurs to any slave in acl_slave_2{}.
if, however, I change to
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
+++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!2.2.2.2;}; key key-slave-2; }; };
IXFR to 1.1.1.1 2.2.2.2 both occur OK with TSIG.
also, with
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
acl_slave_2; };
IXFR to 1.1.1.1 with TSIG to all slaves in acl_slave_2{}, without
TSIG, both occur OK.
what's the right syntax for enabling IXFR to the entire TSIG-
IP-restricted set of hosts in acl_slave_2{}?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
Given that you control your key distribution correctly and safely, would
the following work?
allow-transfer { key key-slave-1; key key-slave-2; };
Only relevant slaves have the various keys, so do you need to have the
IPs mentioned here?
On 05/12/10 18:10, pgngw+dev001+bind-us...@f-m.fm wrote:
i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.
i'm trying to set up to use different TSIG keys with different
secondaries.
in my named.conf, i've
...
acl acl_slave_1 { 1.1.1.1; };
acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
...
zone test.com {
type master; file /master/test.com.hosts;
allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
allow-update { none; };
};
...
key key-slave-1 { algorithm hmac-md5; secret Cf...g==; };
key key-slave-2 { algorithm hmac-md5; secret rl...8==; };
in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO*
IXFR occurs to any slave in acl_slave_2{}.
if, however, I change to
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
+++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!2.2.2.2;}; key key-slave-2; }; };
IXFR to 1.1.1.1 2.2.2.2 both occur OK with TSIG.
also, with
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
acl_slave_2; };
IXFR to 1.1.1.1 with TSIG to all slaves in acl_slave_2{}, without
TSIG, both occur OK.
what's the right syntax for enabling IXFR to the entire TSIG-
IP-restricted set of hosts in acl_slave_2{}?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
MALE BOVINE MANURE!!!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi,
On Sun, 05 Dec 2010 19:16 +0100, Sten Carlsen st...@s-carlsen.dk
wrote:
Given that you control your key distribution correctly and safely, would
the following work?
allow-transfer { key key-slave-1; key key-slave-2; };
Only relevant slaves have the various keys, so do you need to have the
IPs mentioned here?
the goal is to have both IP- key- restrictions in place.
fwiw, the orig example i found for this was @:
https://lists.isc.org/pipermail/bind-users/2009-April/075985.html
thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
what's the right syntax for enabling IXFR to the entire TSIG-
IP-restricted set of hosts in acl_slave_2{}?
I haven't tested this, but I think it will do what you want:
allow-transfer {
{ !{ !1.1.1.1; any; }; key key1; };
{ !{ !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; key key2; };
};
If you want to use named ACLs, then I think you need to define them
backwards, to reject not accept, something like this:
# pass through any host except slave1 hosts
acl notslave1 { !1.1.1.1; any; };
# pass through any host except slave2 hosts
acl notslave2 { !2.2.2.2; !3.3.3.3; !4.4.4.4; any; };
allow-transfer {
{ !notslave1; key key1; };
{ !notslave2; key key2; };
none;
};
I wrote an explanation of BIND ACLs on this list a few years back that
you may find helpful in explaining the syntactic insanity:
http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi,
On Sun, 05 Dec 2010 20:57 +, Evan Hunt e...@isc.org wrote:
I haven't tested this, but I think it will do what you want:
...
allow-transfer {
{ !notslave1; key key1; };
{ !notslave2; key key2; };
none;
};
this !acl format works, but only in the single ACL case. i.e.,
allow-transfer { { !notslave1; key key1; }; none; };
allow-transfer { { !notslave2; key key2; }; none; };
both work as expected. but,
allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; };
none; };
only enables AXFR to slave1 -- slave2 no longer seems to initiate any
transfers, as if it's not getting any notify.
still poking around ...
I wrote an explanation of BIND ACLs on this list a few years back that
you may find helpful in explaining the syntactic insanity:
http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
yes, to 'insanity', and yes to 'helpful'. thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
