On Nov 14, 2008, at 12:40 PM, blrmaani wrote:
All,
I use BIND 9.2 on Linux. I was experimenting with a feature to allow
dynamic updates based on
BOTH the following:
1. Secret key ( TSIG )
2. Subnet.
Unfortunately, I realized that we can specify only one of the above in
allow-update {} ACL.
If I specify both, it doesn't work as expected.
Question:
1. Is there a way to achieve this?
Use a firewall (with deep packet inspection) to restrict by subnet.
Then use the TSIG key in the allow-update statement.
Unfortunately, to my knowledge, that's the only way to do this.
2. Is this feature part of BIND 9.3, 9.4, 9.5 or 9.6 ( I haven't found
anything related to this in the documentation
for these versions. )
No. The first item in the list that matches, matches. No other entry
is considered.
3. If it is already supported in BIND 9.2, I'd appreciate if anyone
can point me to the right documentation.
here is what I'm expecting:
// This should allow update only if the update is from 10/8 subnet AND
key matches:
allow-update { key "...." ; 10/8; }
An ACL in BIND is an "or" list - the packet being filtered only has to
pass any one test in the list.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
