Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Sebastian Schrader
Kea
Commits
4f02b452
Commit
4f02b452
authored
Nov 20, 2011
by
JINMEI Tatuya
Browse files
[1371] updated the bind10 guide about xfrout (IXFR support, ACL configuration)
parent
54d9d7c1
Changes
1
Hide whitespace changes
Inline
Side-by-side
doc/guide/bind10-guide.xml
View file @
4f02b452
...
...
@@ -1369,20 +1369,72 @@ what if a NOTIFY is sent?
The
<command>
b10-xfrout
</command>
process is started by
<command>
bind10
</command>
.
When the
<command>
b10-auth
</command>
authoritative DNS server
receives an AXFR request,
<command>
b10-xfrout
</command>
sends the zone.
This is used to provide master DNS service to share zones
receives an AXFR or IXFR request,
<command>
b10-auth
</command>
internally forwards the request to
<command>
b10-xfrout
</command>
,
which handles the rest of request processing.
This is used to provide primary DNS service to share zones
to secondary name servers.
The
<command>
b10-xfrout
</command>
is also used to send
NOTIFY messages to s
la
ves.
NOTIFY messages to s
econdary ser
ve
r
s.
</para>
<para>
A global or per zone
<option>
transfer_acl
</option>
configuration
can be used to control accessibility of the outbound zone
transfer service.
By default,
<command>
b10-xfrout
</command>
allows any clients to
perform zone transfers for any zones:
</para>
<screen>
>
<userinput>
config show Xfrout/transfer_acl
</userinput>
Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)
</screen>
<para>
You can change this to, for example, rejecting all transfer
requests by default while allowing requests for the transfer
of zone "example.com" from 192.0.2.1 and 2001:db8::1 as follows:
</para>
<screen>
>
<userinput>
config set Xfrout/transfer_acl[0] {"action": "REJECT"}
</userinput>
>
<userinput>
config add Xfrout/zone_config
</userinput>
>
<userinput>
config set Xfrout/zone_config[0]/origin "example.com"
</userinput>
>
<userinput>
config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1"},
</userinput>
<userinput>
{"action": "ACCEPT", "from": "2001:db8::1"}]
</userinput>
>
<userinput>
config commit
</userinput></screen>
<note><simpara>
The current development release of BIND 10 only support
s
AXFR. (IXFR is not supported.)
Access control is not yet provided
.
In the above example the line
s
for
<option>
transfer_acl
</option>
were divided for
readability. In the actual input it must be in a single line
.
</simpara></note>
<para>
If you want to require TSIG in access control, a separate TSIG
"key ring" must be configured specifically
for
<command>
b10-xfrout
</command>
as well as a system wide
key ring, both containing a consistent set of keys.
For example, to change the previous example to allowing requests
from 192.0.2.1 signed by a TSIG with a key name of
"key.example", you'll need to do this:
</para>
<screen>
>
<userinput>
config set tsig_keys/keys ["key.example:
<
base64-key
>
"]
</userinput>
>
<userinput>
config set Xfrout/tsig_keys/keys ["key.example:
<
base64-key
>
"]
</userinput>
>
<userinput>
config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "192.0.2.1", "key": "key.example"}]
</userinput>
>
<userinput>
config commit
</userinput></screen>
<para>
The first line of configuration defines a system wide key ring.
This is necessary because the
<command>
b10-auth
</command>
server
also checks TSIGs and it uses the system wide configuration.
</para>
<note><simpara>
In a future version,
<command>
b10-xfrout
</command>
will also
use the system wide TSIG configuration.
The way to specify zone specific configuration (ACLs, etc) is
likely to be changed, too.
</simpara></note>
<!--
TODO:
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment