Lars Kulseng <larskuls...@gmail.com> wrote:
>
> I wasn't aware that the ACL-clause could include TSIG-keys as well as
> IP-addresses. So far I've been using the masters-clause to make the actual
> list of servers and keys, but also using the server-clause. Perhaps the
> server-clause is unnecessary, and I can simply refer to a defined key and
> an IP-address in a masters-clause and use this as the ACL?
In my setup, I don't have any awkward network topology that requires me to
configure source addresses, and I don't need any of the weird protocol
tweaks that server{} clauses can specify. So the only thing that I can
usefully put in a server{} clause is a TSIG key name.
I reckon that it's slightly neater to just list the TSIG key next to the
server address in the masters{} clause. This choice means my config tends
to repeat key names more and repeat IP addresses less.
There's still some repetition though, because ACLs are completely separate
from masters{} lists - you can't refer to a masters{} list in an ACL :-/
(This limitation is to do with an ACL entry being an address OR a key,
whereas a masters entry is an address AND a key.)
The repetition tends to occur where we have bidirectional secondarying, so
there's a masters clause for zones we secondary and an allow-transfer
clause for zones they secondary. There can also be repetition between
allow-transfer and also-nofify lists. But it can be minimized by using
TSIG instead of addresses in ACLs.
> Something I was considering, was to place an also-notify option in the zone
> on S1 and S2, where I would refer to a masters-clause "rpz-endpoints". This
> list also refers the TSIG-key for the external transfers. I would also put
> a "notify explicit" option. This way, I don't have to rely on NS-entries in
> the zone.
Yes that would make a lot more sense.
OK, to make this a bit more specific (because I feel I was waving my hands
too much above) I'd do something like the following
# on the master
acl internal {
key tsig-xfer;
# include other privileged clients here
};
zone myrpz {
type master;
file "myrpz";
update-policy local;
allow-query { internal; };
allow-transfer { internal; };
};
# on the secondaries
masters master {
192.0.2.4 key tsig-xfer;
};
masters notify-consumers {
111.222.333.444 key consumer-1;
555.666.777.888 key consumer-2;
# usw et cetera ad nauseam
};
acl consumers {
key consumer-1;
key consumer-2;
# usw et cetera ad nauseam
};
zone myrpz {
type slave;
file "myrpz";
masters { master; };
also-notify { notify-consumers; };
allow-query { internal; consumers; };
allow-transfer { internal; consumers; };
};
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Wight, Portland: Variable, becoming south, 3 or 4, occasionally 5 later.
Smooth or slight. Fair. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
