nsupdate ACL based on a key AND ip-subnet
Jonathan Petersson
jpetersson at garnser.se
Tue Nov 18 00:59:30 UTC 2008
Yeah it would most likely be a feature request/change.
IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record types.
As I'm using a multi-view server (public and private IP) I'm concerned that
the update keys used might get compromised (computer stolen or whatever)
thus it would be useful to be able to limit the capability for updates for
specified IP-ranges.
This is achieved with the allow-update policy given throughout this
conversation but as you cannot use them in congestion with update-policy I'm
not able to limit certain records/record types to keys.
To put this in a "conf example" I'm thinking something like:
allow-update {
! { !10/8; any; };
update-policy { grant key subdomain dummy.com ALL; };
};
I hope this makes sense.
/Jonathan
On Mon, Nov 17, 2008 at 4:43 PM, Evan Hunt <Evan_Hunt at isc.org> wrote:
>
> > Actually, to take this a step further, is there any remote possibility to
> > combine this with update-policy as well?
>
> I'm not sure what you mean.
>
> I believe you can use allow-updates to filter according to IP address
> and then update-policy to filter according to key; that might be an
> easier way to accomplish the same thing. I've never done so, but I'd
> expect it to work. But it sounds like you're asking for a feature
> change... clarify please?
>
> --
> Evan Hunt -- evan_hunt at isc.org
> Internet Systems Consortium, Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081117/84fa0b6f/attachment.html>
More information about the bind-users
mailing list