nsupdate ACL based on a key AND ip-subnet

Mark Andrews Mark_Andrews at isc.org
Sun Nov 16 15:35:32 UTC 2008



	acl address_allow { 10/8; };
	acl address_reject { !address_allow; any; };
	allow-update { !reject; key "...."; };
	
In message <DF2D19AC-68DD-47CA-8CB1-3F43A7D6A117 at menandmice.com>, Chris Buxton 
writes:
> On Nov 14, 2008, at 12:40 PM, blrmaani wrote:
> > All,
> >  I use BIND 9.2 on Linux. I was experimenting with a feature to allow
> > dynamic updates based on
> > BOTH the following:
> > 1. Secret key ( TSIG )
> > 2. Subnet.
> >
> > Unfortunately, I realized that we can specify only one of the above in
> > allow-update {} ACL.
> > If I specify both, it doesn't work as expected.
> >
> > Question:
> > 1. Is there a way to achieve this?
> 
> Use a firewall (with deep packet inspection) to restrict by subnet.  
> Then use the TSIG key in the allow-update statement.
> 
> Unfortunately, to my knowledge, that's the only way to do this.
> 
> > 2. Is this feature part of BIND 9.3, 9.4, 9.5 or 9.6 ( I haven't found
> > anything related to this in the documentation
> > for these versions. )
> 
> No. The first item in the list that matches, matches. No other entry  
> is considered.
> 
> > 3. If it is already supported in BIND 9.2, I'd appreciate if anyone
> > can point me to the right documentation.
> >
> > here is what I'm expecting:
> >
> > // This should allow update only if the update is from 10/8 subnet AND
> > key matches:
> > allow-update { key "...." ; 10/8; }
> 
> An ACL in BIND is an "or" list - the packet being filtered only has to  
> pass any one test in the list.
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list