[yadifa-users] key / server association in the acl
Hudec Peter
phudec at cnc.sk
Mon Aug 18 11:51:45 CEST 2014
Hi,
I need to do following setup on 1.0.3 version
To setup a master with the AXFR TSIG zone transfer to the slaves but only
slaves and their keys.
The same problem I had with ISC Bind, described on my page
http://blog.hudecof.net/posts/2014/08/10/bind9-axfr-with-tsig-and-acl.html.
<key>
name company-tsig-key01
algorithm hmac-md5
secret QM2N0SAM6Wsnkm+47iMUvA==
</key>
<acl>
slave01 key company-tsig-key01
</acl>
<zone>
domain example.com
file masters/example.com
type master
allow-transfer slave01
</zone>
This setup allows to do the AXFR form any location when good TSIG is
provided.
When I combined the key and ip together I got error. Actually the error is
one line before with the NEGATION.
<acl>
slaves 192.168.11.64/32
not-slaves ! slaves ; any
company-slaves ! not-slaves ; key company-tsig-key01
</acl>
config: <acl>: ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any'
[] )
config: at /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
error: ACL_UNEXPECTED_NEGATION
2014-08-18 11:46:27.631979 | server | E | config: <acl>:
ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any' [] )
2014-08-18 11:46:27.631985 | server | E | config: at
/usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
So the final question. Is there any way how to allow AXFR only form some
locations?
Best regards
Peter Hudec
More information about the yadifa-users
mailing list