Views, Zones, keys (2)

Badbanchi Hossein HBadbanchi at Webasto.de
Fri May 26 17:00:17 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A friendly list member suggested that I have a look at the man page
of nsupdate.

I did!

According to the man page, one of the nsupdate commands is of the form:
       key name secret
              Specifies that all updates are to  be  TSIG  signed
              using  the keyname keysecret pair.  The key command
              overrides any key specified on the command line via
              -y or -k.

Because of the match-clients statement of the view, and the allow-update
statement of the zone, I suppose my updates should be TSIG signed using
two keyname keysecret pairs. Right?

Can I have multiple "key name secret" commands in one nsupdate run?

And if yes, will my updates be TSIG signed using all those
keyname keysecret pairs?

Thanks for any help.

Regards,
Amir

- -----Original Message-----
From: Badbanchi Hossein 
Sent: Friday, May 26, 2006 15:11
To: 'bind-users at isc.org'
Subject: Views, Zones, keys (2)

Hi,
Please imagine the following (Split DNS) scenario:
named.conf contains two views with "match-clients" and/or "match-destinations"
with "address_match_lists" only using "key" statements (no IP Address based
"address_match_lists"). Each view has its own key.

Each view contains a zone (say example.org) with different content.

These two zones have their own "allow-update" statements each with a separate
key. Again no IP based ACLs.

My question is:
How can "nsupdate" program (running from one machine) send updates to each of
the above zones using TSIG keys?

Thanks for any help.

Regards,
Amir

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.0.6

iQEVAwUBRHc0IoqQ1fmNw3HFAQLHCQf7BkAGCtJbD0Z9aMChIOTO9QLGuxpQeTTy
m2A/KTO4yv+6yh6aTvze5UkmpA9vU15ijkpGrYMTuQM+mqXzLz4Z/zYkn6RAmm9b
ZLygvACwRdNkHOcnvRc4KCFA3NwuxvmDbdSaYjBMLAwqnYoCS5zRs3OLzvvDsGO8
dClQaV/cZuz6UYPVBQ8DAiPw1TwitxwWXItaLdEzcHE+kqgoAeR5sRmScmB2eFgs
Yr+DQHMrBIMEqFaZ+Hp1F07p7oWFkxmry3RrjDQkd0vLK772gLnO0YpyjZyHx0ap
Rq+NSCLQK1VE0h/d1SZzVHT8Gd8LenCIPU5RG9zY7dsXiwek24TVAQ==
=4Xc2
-----END PGP SIGNATURE-----



More information about the bind-users mailing list