It ought to be possible to write a front-end to listen on the standard control channel and only forward (properly-keyed) 'status' requests to the "real" port that BIND listens to.
>From looking at the RNDC exchange via Wireshark however, you'd have to adapt >some of BIND's code that does the encryption / key-signing of RNDC requests. >Still, for us users, that might be safer -- and more update resistant -- than >modifying BIND itself. On Thu, 17 Jun 2021 11:48:36 -0800 John Thurston <john.thurs...@alaska.gov> wrote: > I see I can define (using the 'controls' statement) a 'read-only' inet > channel. I suspect I could define a couple of channels on the same > address if I put them on different ports. Is there a way to define a > single 'read-write' channel, and then limit certain keys to read-only > access on it? > > Here's the scenario: > > I'd like to have a single control channel listening (on port 953, for > example). I'd like to say the key named "foo" can do lots of things, but > the key named "bar" can only submit a "status" message. This would let > our monitoring application ask for "status" without also letting it ask > for "reload" or "flushname". > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
