Given that you control your key distribution correctly and safely, would the following work?
allow-transfer { key key-slave-1; key key-slave-2; }; Only relevant slaves have the various keys, so do you need to have the IPs mentioned here? On 05/12/10 18:10, pgngw+dev001+bind-us...@f-m.fm wrote: > i've bind9 running as a primaryhost to a number of bind-andb-other > slaves. > > i'm trying to set up to use different TSIG keys with different > secondaries. > > in my named.conf, i've > > ... > acl acl_slave_1 { 1.1.1.1; }; > acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; }; > ... > zone "test.com" { > type master; file "/master/test.com.hosts"; > allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { > !{!acl_slave_2;}; key key-slave-2; }; }; > allow-update { none; }; > }; > ... > key "key-slave-1" { algorithm hmac-md5; secret "Cf...g=="; }; > key "key-slave-2" { algorithm hmac-md5; secret "rl...8=="; }; > > in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO* > IXFR occurs to any slave in acl_slave_2{}. > > if, however, I change to > > --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { > !{!acl_slave_2;}; key key-slave-2; }; }; > +++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { > !{!2.2.2.2;}; key key-slave-2; }; }; > > IXFR to 1.1.1.1 & 2.2.2.2 both occur OK with TSIG. > > also, with > > --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { > !{!acl_slave_2;}; key key-slave-2; }; }; > --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; > acl_slave_2; }; > > IXFR to 1.1.1.1 with TSIG & to all slaves in acl_slave_2{}, without > TSIG, both occur OK. > > what's the right syntax for enabling IXFR to the entire TSIG- & > IP-restricted set of hosts in acl_slave_2{}? > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users