nsupdate ACL based on a key AND ip-subnet
Mark Andrews
Mark_Andrews at isc.org
Sun Nov 16 15:35:32 UTC 2008
acl address_allow { 10/8; };
acl address_reject { !address_allow; any; };
allow-update { !reject; key "...."; };
In message <DF2D19AC-68DD-47CA-8CB1-3F43A7D6A117 at menandmice.com>, Chris Buxton
writes:
> On Nov 14, 2008, at 12:40 PM, blrmaani wrote:
> > All,
> > I use BIND 9.2 on Linux. I was experimenting with a feature to allow
> > dynamic updates based on
> > BOTH the following:
> > 1. Secret key ( TSIG )
> > 2. Subnet.
> >
> > Unfortunately, I realized that we can specify only one of the above in
> > allow-update {} ACL.
> > If I specify both, it doesn't work as expected.
> >
> > Question:
> > 1. Is there a way to achieve this?
>
> Use a firewall (with deep packet inspection) to restrict by subnet.
> Then use the TSIG key in the allow-update statement.
>
> Unfortunately, to my knowledge, that's the only way to do this.
>
> > 2. Is this feature part of BIND 9.3, 9.4, 9.5 or 9.6 ( I haven't found
> > anything related to this in the documentation
> > for these versions. )
>
> No. The first item in the list that matches, matches. No other entry
> is considered.
>
> > 3. If it is already supported in BIND 9.2, I'd appreciate if anyone
> > can point me to the right documentation.
> >
> > here is what I'm expecting:
> >
> > // This should allow update only if the update is from 10/8 subnet AND
> > key matches:
> > allow-update { key "...." ; 10/8; }
>
> An ACL in BIND is an "or" list - the packet being filtered only has to
> pass any one test in the list.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list