Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #43
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!news.glorb.com!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Doug Barton <dougb@dougbarton.us> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: Securing zone transfer and DDNS |
| Date | Sun, 06 Nov 2011 18:47:51 -0800 |
| Organization | http://SupersetSolutions.com/ |
| Lines | 56 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.3.1320630492.68562.bind-users@lists.isc.org> (permalink) |
| References | <21ed7915.4729b742.4eb72f52.7f82@o2.pl> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1320630492 6343 149.20.64.75 (7 Nov 2011 01:48:12 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | bind-users@lists.isc.org |
| To | Aleksander Kurczyk <aleksanderkurczyk@o2.pl> |
| Return-Path | <dougb@dougbarton.us> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| X-Originating-IP | 12.207.105.210 |
| X-Sender | dougb@dougbarton.us |
| User-Agent | Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111001 Thunderbird/7.0.1 |
| In-Reply-To | <21ed7915.4729b742.4eb72f52.7f82@o2.pl> |
| X-Enigmail-Version | undefined |
| OpenPGP | id=1A1ABC84 |
| X-Spam-Status | No, score=-2.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 |
| X-Spam-Checker-Version | SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| Xref | x330-a1.tempe.blueboxinc.net comp.protocols.dns.bind:43 |
Show key headers only | View raw
On 11/06/2011 17:07, Aleksander Kurczyk wrote:
> Hello, I just reading a book called "Pro DNS and BIND 10" written by
> Ron Aitchrison. I'm stuck in chapter 10 called "DNS Secure
> Configurations". There's described how to secure zone transfer and
> dynamic updates. The author has used one key to secure both the zone
> transfer and the dynamic updates but I want to use two separate keys.
First question, why use 2 keys? The combination of a key and an address
match list should be enough. Second question, what version of BIND are
you using? It probably doesn't matter, but it's good form to include
that information.
> Unfortunately when I add to the keys option in server section more
> than one key the named doesn't start anymore. Format of the key
> option in the book is different than in the manual. When I remove
> whole server section everything works ok. Is the keys section
> important? For what this section is for? How can I use one key to
> secure zone transfer to one host and other to secure zone transfer to
> other host? It is possible?
Doesn't look that way. The ARM is your best source for config info.
> Part of the named.conf:
>include "key";
The include directive is related to adding an external file to your
named.conf. Unless that's what you're intending to do, you probably
don't want it here.
> server 127.0.0.1 { keys { "key"; }; };
The term "keys" here would seem to indicate that you can add multiple
keys per server, but ...
> zone "my.zone" in { type master; file "my.zone"; allow-transfer { key
> "key"; }; allow-update { key "key"; }; };
I don't see anything in the ARM about including key directives in the
allow-update or allow-transfer grammar.
You can probably also get some useful information by using named-checkconf.
hth,
Doug
--
"We could put the whole Internet into a book."
"Too practical."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: Securing zone transfer and DDNS Doug Barton <dougb@dougbarton.us> - 2011-11-06 18:47 -0800
csiph-web