Re: ACL and keys
This is a discussion on Re: ACL and keys within the Bind Users forums, part of the DNS and Related Forums category; So...do the ACL 'rules' read left to right ??? DJ <Mark_Andrews@isc.org> wrote in message news:bijjcf$...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-29-2003
|
|||
|
|||
Re: ACL and keys
So...do the ACL 'rules' read left to right ???
DJ <Mark_Andrews@isc.org> wrote in message news:bijjcf$b0s$1@sf1.isc.org... > > > Forgive my boolean logic but > > You are not dealing with boolean logic. You are dealing > with acls. > > > (slaves OR tsig) > > > > is identical to > > > > (not (not(slaves)) OR tsig) > > allow-transfer { > !notslaves; // REJECT everything *but* slaves. > > // Only slaves are left at this point in time. > > key tsigkey; // ACCEPT any requests with this signature. > > // reject the rest. > > }; > > > > So I don't see how the statement equates to > > > > (Slaves AND slaves-with-tsig-key) > > > > > > Why can't you use > > > > > > > > allow-transfer ( slaves; key tsigkey;}; > > > > > > > > > > That is allow "slaves" *or* allow "key tsigkey". > > > > > > > ????? > > > > > > > > As ! notslave == slaves > > > > > > acl slaves { > > > 194.170.1.11; > > > }; > > > > > > acl notslaves { > > > !slaves; any; > > > }; > > > > > > allow-transfer { !notslaves; key tsigkey;}; > > > > > > This deny everyone but slaves then allow those with this key. > > > > > > Acls are parsed on a first match basis. > > > > > > Mark > > > -- > > > Mark Andrews, Internet Software Consortium > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org > > > > > > > > > > -- > Mark Andrews, Internet Software Consortium > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org > 
|
Linear Mode
