tsig question

raf bind at raf.org
Fri Aug 20 11:33:01 UTC 2021


I want to use TSIG for zone transfers,
only allowing zone transfers to
particular IP addresses if they
possess the TSIG shared secret.

The documentation at:


has this section:

  5.5.4. TSIG-Based Access Control

which gives this relevant but non-obvious example:

  allow-update { !{ !localnets; any; }; key host1-host2. ;};

which somehow means localnets *and* possesses the shared secret.

I've found old tutorials online that recommend:

  allow-update { key "KEYNAME"; };

Because (they say) including the IP address (no mention
of nested negative boolean logic) allows the transfer
if *either* the address matches *or* the key is known.

To do what I want, do I need to have this:

  allow-transfer { !{ !IPADDR; any; }; key KEYNAME; };

where IPADDR is the address(es) of the secondary
(or the name of an acl containing the address(es)
of the secondary)?

And if so, do I really want to? I'd like to, but
that syntax is a bit gross. Maybe I'm being silly.
Maybe I should just rely on the possession of the key.


More information about the bind-users mailing list