TSIG should be that way??
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Sat Mar 10 00:47:32 UTC 2001
> Ian,
>
> Thank you, but I was just checking the logistics of what you sent,
> this is an "Or" allow-transfer, not an AND logic.
> I was really hoping for something that can give an AND logic.
> What you sent, allows transfer IF you have the key, OR you are slave.
> it's actually less restrictive than my config, and I was looking into making
> it MORE restrictive.
>
> Thank you,
Did you actually try it?
e.g.
transfering from a denied address with the right key.
transfering from a allowed address with the wrong but
known key.
transfering from a allowed address with the right key.
Mark
>
>
>
> -----Original Message-----
> From: Ian Watts [mailto:ian at Radix.Net]
> Sent: Friday, March 09, 2001 1:32 PM
> To: Osman Shoukry
> Cc: bind-users at isc.org
> Subject: Re: TSIG should be that way??
>
>
> Osman,
>
> I recently went through this myself. Thanks to other listers, this
> solution was the simplest:
>
> create an acl that blocks your IP address, then block that list for
> updates or transfers:
>
> acl slaves { ! xx.xx.xx.2; any; };
>
> then something like:
>
> zone "test.com" {
> type master;
> file "test.com";
> allow-transfer { ! slaves; key shared-secret.; };
> };
>
>
> -- Ian
>
>
>
>
> On Fri, 9 Mar 2001, Osman Shoukry wrote:
>
> > Hi,
> >
> > I am unable to really understand how the TSIG works, even though I have
> > configured it, but here is what I see. I remove the key from the slave,
> the
> > transfer of zones goes through.
> > I keep it, the request is signed and the transfer goes through. If I
> remove
> > the TSIG section from the master, then the transfer fails.
> >
> >
> > How do I forbid transfer unless the request is signed AND comming from the
> > correct IP (or is that not possible)??
> >
> > Here is my current config, maybe there is something I am overlooking..
> >
> >
> >
> > ========== Master Config
> > key shared-secret. {
> > algorithm hmac-md5;
> > secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> > };
> >
> > server xx.xx.xx.2 {
> > transfer-format many-answers;
> > keys { shared-secret. ; };
> > };
> > acl "slaves" { xx.xx.xx.2; };
> > options {
> > directory "/var/named";
> > allow-transfer { none; };
> > pid-file "/var/run/named.pid";
> > };
> > zone "test.com" {
> > type master;
> > file "test.com";
> > allow-transfer { slaves; };
> > };
> >
> > ========== Slave config
> > key shared-secret. {
> > algorithm hmac-md5;
> > secret "Mxb8ljzEodY9sUkFi3cSYQ==";
> > };
> > server xx.xx.xx.1 {
> > keys { shared-secret. ; };
> > };
> >
> > options {
> > directory "/var/named";
> > allow-transfer { none; };
> > pid-file "/var/run/named.pid";
> > };
> > zone "test.com" {
> > type slave;
> > file "test.com";
> > masters { xx.xx.xx.1; };
> > };
> >
> > Thank you for any help you can offer,
> >
> > Osman Shoukry
> >
> > PS: Please excuse me for reposting this, but I didn't assign a subject,
> that
> > is why I am reposting.
> >
> >
> >
>
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list