nsupdate ACL based on a key AND ip-subnet
Jonathan Petersson
jpetersson at garnser.se
Mon Nov 17 00:22:44 UTC 2008
On Sun, Nov 16, 2008 at 1:28 PM, Chris Thompson <cet1 at cam.ac.uk> wrote:
> On Nov 14 2008, blrmaani wrote:
>
> I use BIND 9.2 on Linux.
>>
>
> Horribly old. But I doubt whether anything has changed in the ACL logic
> since then.
>
> I was experimenting with a feature to allow
>> dynamic updates based on
>> BOTH the following:
>> 1. Secret key ( TSIG )
>> 2. Subnet.
>>
>> Unfortunately, I realized that we can specify only one of the above in
>> allow-update {} ACL.
>> If I specify both, it doesn't work as expected.
>>
>> Question:
>> 1. Is there a way to achieve this?
>>
> [...]
>
>> here is what I'm expecting:
>>
>> // This should allow update only if the update is from 10/8 subnet AND
>> key matches:
>> allow-update { key "...." ; 10/8; }
>>
>
> That's an OR on the conditions, as Chris Buxton writes.
> But you *can* do what you want, provided you have a copious supply of iced
> drinks to keep you calm while trying to work out the consequences of using
> negations in ACLs. If I have it right, the following works:
>
> allow-update { !{!10/8;any;}; key update-key; };
Wouldn't this still permit any client on the 10/8 subnet to update the
zones?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081116/f5ba4357/attachment.html>
More information about the bind-users
mailing list