tsig security

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Jul 3 01:10:45 UTC 2001


> 
> > Is it possible to implement security such that both a certain IP address an
> d
> > a keyname:secret are authenticated for a nsupdate command. If so how?
> > allow-update works based on IP but tsig wirks based on keys.
> > 
> 
> 	Well it's not clear whether you want the acl to perform a
> 	"and" or a "or" but either is possible.
> 
> 	For IP address 1.2.3.4 and key "mykey".
> 
> 	OR:
> 		allow-update { 1.2.3.4; key "mykey"; };
> 
> 	AND:
> 		acl permit { 1.2.3.4; ... };
> 		acl denied { !denied; };

	That should be:
 		acl denied { !permit; };

> 		allow-update { !denied; key "mykey"; };
> 
> 	The denied acl may need a "any;" at the end, I'm doing this
> 	from memory.  If there is only one IP address then you can
> 	collapse the permit into the denied.
> 
> 	Mark
> > 
> > Charles A. Bodley
> > Technician
> > TF Logic
> > 
> > "It's amazing what you can do with a kind word,
> > provided you've also got a big stick."
> > - Johnny and the Dead
> --
> Mark Andrews, Nominum Inc.
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list