Lars Kulseng <larskuls...@gmail.com> wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. So far I've been using the masters-clause to make the actual > list of servers and keys, but also using the server-clause. Perhaps the > server-clause is unnecessary, and I can simply refer to a defined key and > an IP-address in a masters-clause and use this as the ACL?
In my setup, I don't have any awkward network topology that requires me to configure source addresses, and I don't need any of the weird protocol tweaks that server{} clauses can specify. So the only thing that I can usefully put in a server{} clause is a TSIG key name. I reckon that it's slightly neater to just list the TSIG key next to the server address in the masters{} clause. This choice means my config tends to repeat key names more and repeat IP addresses less. There's still some repetition though, because ACLs are completely separate from masters{} lists - you can't refer to a masters{} list in an ACL :-/ (This limitation is to do with an ACL entry being an address OR a key, whereas a masters entry is an address AND a key.) The repetition tends to occur where we have bidirectional secondarying, so there's a masters clause for zones we secondary and an allow-transfer clause for zones they secondary. There can also be repetition between allow-transfer and also-nofify lists. But it can be minimized by using TSIG instead of addresses in ACLs. > Something I was considering, was to place an also-notify option in the zone > on S1 and S2, where I would refer to a masters-clause "rpz-endpoints". This > list also refers the TSIG-key for the external transfers. I would also put > a "notify explicit" option. This way, I don't have to rely on NS-entries in > the zone. Yes that would make a lot more sense. OK, to make this a bit more specific (because I feel I was waving my hands too much above) I'd do something like the following # on the master acl internal { key tsig-xfer; # include other privileged clients here }; zone myrpz { type master; file "myrpz"; update-policy local; allow-query { internal; }; allow-transfer { internal; }; }; # on the secondaries masters master { 192.0.2.4 key tsig-xfer; }; masters notify-consumers { 111.222.333.444 key consumer-1; 555.666.777.888 key consumer-2; # usw et cetera ad nauseam }; acl consumers { key consumer-1; key consumer-2; # usw et cetera ad nauseam }; zone myrpz { type slave; file "myrpz"; masters { master; }; also-notify { notify-consumers; }; allow-query { internal; consumers; }; allow-transfer { internal; consumers; }; }; Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Wight, Portland: Variable, becoming south, 3 or 4, occasionally 5 later. Smooth or slight. Fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users