tsig security

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Jul 3 01:09:17 UTC 2001


> Is it possible to implement security such that both a certain IP address and
> a keyname:secret are authenticated for a nsupdate command. If so how?
> allow-update works based on IP but tsig wirks based on keys.
> 

	Well it's not clear whether you want the acl to perform a
	"and" or a "or" but either is possible.

	For IP address 1.2.3.4 and key "mykey".

	OR:
		allow-update { 1.2.3.4; key "mykey"; };

	AND:
		acl permit { 1.2.3.4; ... };
		acl denied { !denied; };
		allow-update { !denied; key "mykey"; };

	The denied acl may need a "any;" at the end, I'm doing this
	from memory.  If there is only one IP address then you can
	collapse the permit into the denied.

	Mark
> 
> Charles A. Bodley
> Technician
> TF Logic
> 
> "It's amazing what you can do with a kind word,
> provided you've also got a big stick."
> - Johnny and the Dead
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list