[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind9-users
Subject:    Re: TSIG last question
From:       Mark_Andrews () isc ! org
Date:       2002-06-25 14:28:30
[Download RAW message or body]


> This was of great help. Another individual sent me to a web site with a 
> course PDF that explained this is great detail.
> 
> One thing I need clarified though:
> 
> Currently, I have 1 primary and 2 slaves. ZOne transfers/updates using 
> normal methods are working nicely now (again thanks to help from people here)
> .
> 
> However, while reading the Bind book, it states that the slaves should not 
> allow transfers....and I agree with this statement!

	allow-transfer values is a policy decision.  There is nothing
	inherently wrong with allowing everyone to transfer a zone.
 
> So, in my named.conf on the slaves:
> 
> zone  "bar.com" {
>          type slave;
>          file "/zones/db.bar.com";
>          masters { 1.2.3.4; };
>          allow-transfer { none; };
> 
> The above example of TSIG seems to go against what is recommended :
> 
> zone example {
>                  type slave;
>                  file "example";
>                  masters { 10.0.0.1; };
>                  allow-transfer { key example.key; };
> 
> 
> I just want to verify that this must be the case (so it seems).

	Using the *same* allow-transfer acl does not change who
	can transfer the zone (firewalled masters aside).

> Thanx to all who responded. I really appreciate it!
> 
> Jeff
> 
	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

[prev in list] [next in list] [prev in thread] [next in thread]