On 5 January 2017 at 14:36, Lars Kulseng <[email protected]> wrote:
> > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. > As I understand it, you have to be careful mixing TSIG keys and IP addresses within an ACL, as it's "first match wins" So if you have a key and an IP listed in the same ACL - then anyone with the key (from any IP), or anyone from that IP (without the key) will match the ACL, which is unlikely to be what you wanted (presumably you actually wanted "from this IP, with this key" to be the only matching case) You can either use the approach you initially suggested, or try and use the sort of approach listed here: http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-allow-update It's been a while since I've looked at ACLs though, so if the situation has changed in more modern versions of bind I'd be very appreciative if people could point me towards the appropriate docs :) -Paul -- ---------------------------------------------------------------------- Paul Seward, Senior Systems Administrator, University of Bristol [email protected] +44 (0)117 39 41148 GPG Key ID: E24DA8A2 GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
