On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users <bind-users@lists.isc.org> wrote:
> Hi, > > I want to use TSIG for zone transfers, > only allowing zone transfers to > particular IP addresses if they > possess the TSIG shared secret. > > The documentation at: > > https://bind9.readthedocs.io/en/latest/advanced.html > > has this section: > > 5.5.4. TSIG-Based Access Control > > which gives this relevant but non-obvious example: > > allow-update { !{ !localnets; any; }; key host1-host2. ;}; > > which somehow means localnets *and* possesses the shared secret. > > I've found old tutorials online that recommend: > > allow-update { key "KEYNAME"; }; > > Because (they say) including the IP address (no mention > of nested negative boolean logic) allows the transfer > if *either* the address matches *or* the key is known. > > To do what I want, do I need to have this: > > allow-transfer { !{ !IPADDR; any; }; key KEYNAME; }; > > where IPADDR is the address(es) of the secondary > (or the name of an acl containing the address(es) > of the secondary)? > > And if so, do I really want to? I'd like to, but > that syntax is a bit gross. Maybe I'm being silly. > Maybe I should just rely on the possession of the key. > Thoughts? Does this mean what I want? allow-transfer { !{ !IPADDR; !key KEYNAME; }; }; meaning: not (not ipaddr or not possesses shared secret) meaning: ipaddr and possess shared secret cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users