View selection via TSIG

Josh Paetzel josh at tcbug.org
Wed Aug 19 23:48:47 UTC 2009


On Aug 19, 2009, at 6:30 PM, Mark Andrews wrote:
>>
>> Thanks.  That worked, and I was quickly able to see what I was doing
>> wrong.  My primary nameserver was matching an IP in one of the
>> views.   So all the notifies were seen by slave as being in that one
>> view.  IPs override keys.
>
> Acl matches are order sensitive.  The !key is in the examples to  
> prevent
> the signed message matching the view and moving onto the next one.


Ok, that makes even more sense.  I was getting what appeared to be  
very non-deterministic behavior, but well, of course, once you know  
the rules it makes a lot of sense.


In my case with multiple views and multiple keys..

{ subnet A; key A;};
{ subnet B; key B;};
{subnet C; key C;};
{subnet D; key D}:

If the server was in subnet C, and used key A or B it would work fine,  
but just by coincidence.  Key C would work too, once again, by  
coincidence...but key D...boom.

Anyways, it's working great now.  Thanks to everyone who helped.

Thanks,

Josh Paetzel




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090819/bcdce5ce/attachment.html>


More information about the bind-users mailing list