Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #46
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!nx02.iad01.newshosting.com!newshosting.com!198.186.194.249.MISMATCH!transit3.readnews.com!news-out.readnews.com!transit4.readnews.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Aleksander Kurczyk <aleksanderkurczyk@o2.pl> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: Securing zone transfer and DDNS |
| Date | Mon, 07 Nov 2011 15:31:40 +0100 |
| Lines | 73 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.6.1320676349.68562.bind-users@lists.isc.org> (permalink) |
| References | <21ed7915.4729b742.4eb72f52.7f82@o2.pl> <4EB746D7.9000205@dougbarton.us> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1320676349 6407 149.20.64.75 (7 Nov 2011 14:32:29 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <aleksanderkurczyk@o2.pl> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| In-Reply-To | <4EB746D7.9000205@dougbarton.us> |
| X-Originator | 95.160.160.157 |
| X-Spam-Status | No, score=-1.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SARE_SUB_ENC_UTF8, T_TO_NO_BRKTS_FREEMAIL autolearn=no version=3.3.1 |
| X-Spam-Checker-Version | SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| Xref | x330-a1.tempe.blueboxinc.net comp.protocols.dns.bind:46 |
Show key headers only | View raw
Dnia 7 listopada 2011 3:47 Doug Barton <dougb@dougbarton.us> napisaĆ(a):
> First question, why use 2 keys? The combination of a key and an address
> match list should be enough. Second question, what version of BIND are
> you using? It probably doesn't matter, but it's good form to include
> that information.
Because I want to try set multiple key. Currently I have only one server (localhost - 127.0.0.1) but in future on real working network I would have to setup more than one server and I don't know how. I will have to simply add new key to the allow-update or allow-transfer option?
Bind version is: 9.7.4
> > Unfortunately when I add to the keys option in server section more
> > than one key the named doesn't start anymore. Format of the key
> > option in the book is different than in the manual. When I remove
> > whole server section everything works ok. Is the keys section
> > important? For what this section is for? How can I use one key to
> > secure zone transfer to one host and other to secure zone transfer to
> > other host? It is possible?
>
> Doesn't look that way. The ARM is your best source for config info.
Maybe this is a stupid question but what is ARM?
> The include directive is related to adding an external file to your
> named.conf. Unless that's what you're intending to do, you probably
> don't want it here.
The key is in a external file.
> > server 127.0.0.1 { keys { "key"; }; };
>
> The term "keys" here would seem to indicate that you can add multiple
> keys per server, but ...
>
> > zone "my.zone" in { type master; file "my.zone"; allow-transfer { key
> > "key"; }; allow-update { key "key"; }; };
>
> I don't see anything in the ARM about including key directives in the
> allow-update or allow-transfer grammar.
Without that (keys only in server section) I can transfer whole domain (dig my.zone axfr) without passing any key.
> You can probably also get some useful information by using named-checkconf.
Named-checkconf returning an error with "}" expected after ";" and ";" expected after "}".
--
Pozdrawiam,
Aleksander Kurczyk
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: Securing zone transfer and DDNS Aleksander Kurczyk <aleksanderkurczyk@o2.pl> - 2011-11-07 15:31 +0100
csiph-web