Clarification of Xfrout transfer_acl entries at different scopes
Spain, Dr. Jeffry A.
spainj at countryday.net
Sat Feb 4 19:22:58 UTC 2012
I configured five test zones on a bind10-devel-20120119 authoritative server and am setting them up for outbound zone transfer to a bind 9.9.0rc2 server for DNSSEC inline signing. Initially I configured a transfer_acl for each zone, but since they are all the same, it probably makes more sense to configure a transfer_acl globally. Here's where I get confused. Shown below are what appear to be different transfer_acl entries at three different scopes: Xfrout global, Xfrout/zone_config global, and Xfrout/zone_config[i] zone list element.
> config show Xfrout/transfer_acl
Xfrout/transfer_acl[0] {"action": "REJECT"} any
> config show Xfrout/zone_config/transfer_acl
Xfrout/zone_config/transfer_acl[0] {"action": "ACCEPT"} any (default)
> config show Xfrout/zone_config[0]/transfer_acl
Xfrout/zone_config[0]/transfer_acl[0] {"action": "ACCEPT", "from": "10.1.88.13", "key": "nsb0-nsb0s"} any
Xfrout/zone_config[0]/transfer_acl[1] {"action": "ACCEPT", "from": "2001:4870:20ca:158:383e:4365:e3fe:ef7e", "key": "nsb0-nsb0s"}any
The first and third ones are described in the bind10 guide, but the second is not. Furthermore the second one seems to be setting up outbound zone transfers to be wide open. Would you please comment on what the second transfer_acl does and how it interacts with the other two. Thanks. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind10-users/attachments/20120204/879a56fd/attachment.html>
More information about the bind10-users
mailing list