Hi, I want to use TSIG for zone transfers, only allowing zone transfers to particular IP addresses if they possess the TSIG shared secret.
The documentation at: https://bind9.readthedocs.io/en/latest/advanced.html has this section: 5.5.4. TSIG-Based Access Control which gives this relevant but non-obvious example: allow-update { !{ !localnets; any; }; key host1-host2. ;}; which somehow means localnets *and* possesses the shared secret. I've found old tutorials online that recommend: allow-update { key "KEYNAME"; }; Because (they say) including the IP address (no mention of nested negative boolean logic) allows the transfer if *either* the address matches *or* the key is known. To do what I want, do I need to have this: allow-transfer { !{ !IPADDR; any; }; key KEYNAME; }; where IPADDR is the address(es) of the secondary (or the name of an acl containing the address(es) of the secondary)? And if so, do I really want to? I'd like to, but that syntax is a bit gross. Maybe I'm being silly. Maybe I should just rely on the possession of the key. Thoughts? cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
