On Nov 14 2008, blrmaani wrote:
I use BIND 9.2 on Linux.
Horribly old. But I doubt whether anything has changed in the ACL logic
since then.
I was experimenting with a feature to allow
dynamic updates based on
BOTH the following:
1. Secret key ( TSIG )
2. Subnet.
Unfortunately, I realized that we can specify only one of the above in
allow-update {} ACL.
If I specify both, it doesn't work as expected.
Question:
1. Is there a way to achieve this?
[...]
here is what I'm expecting:
// This should allow update only if the update is from 10/8 subnet AND
key matches:
allow-update { key "...." ; 10/8; }
That's an OR on the conditions, as Chris Buxton writes.
But you *can* do what you want, provided you have a copious supply of
iced drinks to keep you calm while trying to work out the consequences
of using negations in ACLs. If I have it right, the following works:
allow-update { !{!10/8;any;}; key update-key; };
You could make the inner {} a named ACL if that makes it clearer.
(I have tested an allow-update similar to the above -- using different
IP addresses -- with BIND 9.4.3rc1.)
--
Chris Thompson
Email: [EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
