[yadifa-users] key / server association in the acl

Hudec Peter phudec at cnc.sk
Mon Aug 18 11:51:45 CEST 2014


Hi,

I need to do following setup on 1.0.3 version
To setup a master with the AXFR TSIG zone transfer to the slaves but only
slaves and their keys.

The same problem I had with ISC Bind, described on my page
http://blog.hudecof.net/posts/2014/08/10/bind9-axfr-with-tsig-and-acl.html.

<key>
        name    company-tsig-key01
        algorithm       hmac-md5
        secret  QM2N0SAM6Wsnkm+47iMUvA==
</key>

<acl>
        slave01		key  company-tsig-key01
</acl>

<zone>
        domain          example.com
        file            masters/example.com
        type            master

        allow-transfer  slave01
</zone>

This setup allows to do the AXFR form any location when good TSIG is
provided.


When I combined the key and ip together I got error. Actually the error is
one line before with the NEGATION.

<acl>
	slaves          192.168.11.64/32
	not-slaves      ! slaves ; any
	company-slaves  ! not-slaves ; key company-tsig-key01
</acl>


config: <acl>: ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any'
[] )
config: at /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
error: ACL_UNEXPECTED_NEGATION
2014-08-18 11:46:27.631979 | server   | E | config: <acl>:
ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any' [] )
2014-08-18 11:46:27.631985 | server   | E | config: at
/usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)



So the final question. Is there any way how to allow AXFR only form some
locations?

	Best regards
		Peter Hudec



More information about the yadifa-users mailing list