[Opendnssec-develop] DNS adapters configuration

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Sep 15 13:57:25 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/08/2011 12:31 PM, Matthijs Mekking wrote:
...
> 
> The acl.xfr file contains tsig, master and slave address and such. The
> syntax is as follows:
> 
> start = element Adapter {
>         # Type of adapter
>         attribute type { xsd:string },
> 
>         # inbound zone transfer settings
>         element Inbound {
>                 # what TSIG secret to use
>                 tsig?,
>                 element RequestTransfer { remoteAddress }*,
>                 element AllowNotify { remoteAddress }*,
>         },
> 
>         # outbound zone transfer settings
>         element Outbound {
>                 # what TSIG secret to use
>                 tsig?,
>                 element ProvideTransfer { remoteAddress }*,
>                 element Notify { remoteAddress }*,
>         }
> 

This is not entirely correct, tsig should be on a per server base, not
per zone base:

More something like:

        element Inbound {
                element RequestTransfer { remoteAddress, tsig? }*,
                element AllowNotify { remoteAddress, tsig? }*,
        },

or

        element Inbound {
                # zero or more TSIG secrets
                tsig*,
                element RequestTransfer { remoteAddress, tsig_id? }*,
                element AllowNotify { remoteAddress, tsig_id? }*,
        },
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOcgRFAAoJEA8yVCPsQCW57J0IALPhq2PYPkANq85XYwGxgbZU
12i77JJn04Li1w1CI5XAxsi+DLxUPeiB1AKKyUrghk8Pgv3pDjjcdCluaPL/KYTS
BrdfC5XHAZN4iqmJs0MYd+kkPc8xy3w815b+2OsRpKpWHBtXtrgR+rdA5ZSuRRPH
82mRcau0OVWkGnnXX/lsLJrZYz9TaBEoCOSI3UZeRxy6Ucbd/yZmwiubto5AYOEO
9pHdbheBw4qQHnaP0xrbhOpj3v9YWeJm/HrF/H/1TX2DigBKV5wBj0CpZAl3EXFB
VujxnMtfLCItY+YfQglkD/khZYBtYi9rGm9TWK0D9bHmQ4kbkbYa/ng04tQKB9E=
=9X62
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list