Enable TSIGs and IP ACLs simultaneously

You can configure BIND 9 and later to allow zone transfers only to some restricted set of IP addresses and only if they possess the shared secret key.

The following example works because access control lists in the allow-transferstanza are processed in order. The ! notslaves statement denies any requests other than those from slaves, which then have to prove possession of the shared secret key to actually succeed.


acl slaves {

192.0.2.1;

192.0.2.2;

192.0.2.3;
};
key example-company-sharedsecret. {

algorithm hmac-md5;

secret "mZiMNOUYQPMNwsDzrX2ENw==";
};
acl notslaves { ! slaves; any; };
options {

…

allow-transfer { ! notslaves; key example-company-sharedsecret.; };

…
};