[yadifa-users] key / server association in the acl

Eric Diaz Fernandez ericdf at eurid.eu
Mon Aug 18 15:17:50 CEST 2014 

Hi,

The grammar of the ACL rules does not allow negation of another ACL rule.
For your problem you only need to accept slaves and/or the keys.

<acl>
     slaves 192.168.11.64/32
     slaves-or-keys 192.168.11.64/32; key company-tsig-key01
     company-keys key company-tsig-key01
</acl>

<zone>
     allow-transfer slaves                    # accepts the matching 
IP(s), rejects everything else
# or
# allow-transfer slaves-or-keys        # accepts the matching IP(s), or 
accepts the messages signed with the key(s), rejects everything else
# or
# allow-transfer company-keys        # accepts only the messages signed 
with the key(s), rejects everything else
</zone>

There is no way to match together an IP and a key.  It's always IP(s) or 
key(s)

You can find a few other examples in the manual at section about the 
server configuration.

Regards,

R&D

On 18/08/14 11:51, Hudec Peter wrote:
> Hi,
>
> I need to do following setup on 1.0.3 version
> To setup a master with the AXFR TSIG zone transfer to the slaves but only
> slaves and their keys.
>
> The same problem I had with ISC Bind, described on my page
> http://blog.hudecof.net/posts/2014/08/10/bind9-axfr-with-tsig-and-acl.html.
>
> <key>
>          name    company-tsig-key01
>          algorithm       hmac-md5
>          secret  QM2N0SAM6Wsnkm+47iMUvA==
> </key>
>
> <acl>
>          slave01		key  company-tsig-key01
> </acl>
>
> <zone>
>          domain          example.com
>          file            masters/example.com
>          type            master
>
>          allow-transfer  slave01
> </zone>
>
> This setup allows to do the AXFR form any location when good TSIG is
> provided.
>
>
> When I combined the key and ip together I got error. Actually the error is
> one line before with the NEGATION.
>
> <acl>
> 	slaves          192.168.11.64/32
> 	not-slaves      ! slaves ; any
> 	company-slaves  ! not-slaves ; key company-tsig-key01
> </acl>
>
>
> config: <acl>: ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any'
> [] )
> config: at /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
> error: ACL_UNEXPECTED_NEGATION
> 2014-08-18 11:46:27.631979 | server   | E | config: <acl>:
> ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any' [] )
> 2014-08-18 11:46:27.631985 | server   | E | config: at
> /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
>
>
>
> So the final question. Is there any way how to allow AXFR only form some
> locations?
>
> 	Best regards
> 		Peter Hudec
>
> _______________________________________________
> yadifa-users mailing list
> yadifa-users at mailinglists.yadifa.eu
> http://www.yadifa.eu/mailman/listinfo/yadifa-users

More information about the yadifa-users mailing list