[yadifa-users] key / server association in the acl

Peter Hudec peter.hudec at cnc.sk
Mon Aug 18 15:33:16 CEST 2014


Hi,

thanks for quick response.

You just confirmed what I found in the yadifa source ;(

I just tested several scenarios across several authoritative dns serves.
I will use yadifa as slave server so there will be no such issue.

It would be good to add/extened the acl to provide this functionality.

	best regards
		Peter Hudec

On 18/08/14 15:17, Eric Diaz Fernandez wrote:
> Hi,
> 
> The grammar of the ACL rules does not allow negation of another ACL rule.
> For your problem you only need to accept slaves and/or the keys.
> 
> <acl>
>      slaves 192.168.11.64/32
>      slaves-or-keys 192.168.11.64/32; key company-tsig-key01
>      company-keys key company-tsig-key01
> </acl>
> 
> <zone>
>      allow-transfer slaves                    # accepts the matching 
> IP(s), rejects everything else
> # or
> # allow-transfer slaves-or-keys        # accepts the matching IP(s), or 
> accepts the messages signed with the key(s), rejects everything else
> # or
> # allow-transfer company-keys        # accepts only the messages signed 
> with the key(s), rejects everything else
> </zone>
> 
> There is no way to match together an IP and a key.  It's always IP(s) or 
> key(s)
> 
> You can find a few other examples in the manual at section about the 
> server configuration.
> 
> Regards,
> 
> R&D
> 
> On 18/08/14 11:51, Hudec Peter wrote:
>> Hi,
>>
>> I need to do following setup on 1.0.3 version
>> To setup a master with the AXFR TSIG zone transfer to the slaves but only
>> slaves and their keys.
>>
>> The same problem I had with ISC Bind, described on my page
>> http://blog.hudecof.net/posts/2014/08/10/bind9-axfr-with-tsig-and-acl.html.
>>
>> <key>
>>          name    company-tsig-key01
>>          algorithm       hmac-md5
>>          secret  QM2N0SAM6Wsnkm+47iMUvA==
>> </key>
>>
>> <acl>
>>          slave01		key  company-tsig-key01
>> </acl>
>>
>> <zone>
>>          domain          example.com
>>          file            masters/example.com
>>          type            master
>>
>>          allow-transfer  slave01
>> </zone>
>>
>> This setup allows to do the AXFR form any location when good TSIG is
>> provided.
>>
>>
>> When I combined the key and ip together I got error. Actually the error is
>> one line before with the NEGATION.
>>
>> <acl>
>> 	slaves          192.168.11.64/32
>> 	not-slaves      ! slaves ; any
>> 	company-slaves  ! not-slaves ; key company-tsig-key01
>> </acl>
>>
>>
>> config: <acl>: ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any'
>> [] )
>> config: at /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
>> error: ACL_UNEXPECTED_NEGATION
>> 2014-08-18 11:46:27.631979 | server   | E | config: <acl>:
>> ACL_UNEXPECTED_NEGATION ( 'not-slaves' = '! slaves ; any' [] )
>> 2014-08-18 11:46:27.631985 | server   | E | config: at
>> /usr/local/yadifa/etc/yadifad.conf:10: ACL_UNEXPECTED_NEGATION)
>>
>>
>>
>> So the final question. Is there any way how to allow AXFR only form some
>> locations?
>>
>> 	Best regards
>> 		Peter Hudec
>>
>> _______________________________________________
>> yadifa-users mailing list
>> yadifa-users at mailinglists.yadifa.eu
>> http://www.yadifa.eu/mailman/listinfo/yadifa-users
> 
> _______________________________________________
> yadifa-users mailing list
> yadifa-users at mailinglists.yadifa.eu
> http://www.yadifa.eu/mailman/listinfo/yadifa-users
> 



More information about the yadifa-users mailing list