key and ip adress
Ian Watts
ian at radix.net
Sun Feb 18 00:07:55 UTC 2001
Ah, the old double-negative... Thanks for the suggestion. It works, too,
and makes it significantly simpler to limit updates to a single IP address
AND require a key. So we have something like:
acl not-local { ! 10.9.8.7; any; };
allow-update { ! not-local; key key_name; };
rather than:
acl not-local {
! 0/5;
! 8/7;
! 11/8;
! 12/6;
! 16/4;
! 32/3;
! 64/2;
! 128/1;
};
allow-update { not-local; key key_name; };
and that's only limiting it to the whole 10/8; limiting to a single
address would make this a lot less tidy than I prefer.
I only tried this on BIND 8.
-- Ian
On Fri, 16 Feb 2001, Cricket Liu wrote:
>
> > > > Is that the only way, or is there another way to phrase the addresses
> to
> > > > include, for example, blocks of class A addresses to keep our match
> list a
> > > > reasonable size? Let's say I'd like to block everything but 10/8
> > > > addresses, then accept by key.
> > >
> > > Wouldn't
> > >
> > > acl "not-10" {
> > > ! 10/8;
> > > key-name;
> > > };
> > >
> > > do what you want?
> >
> > But that would deny updates from 10/8 and he said he wanted to block
> > everything but 10/8.
>
> Yes, I misinterpreted what Ian wrote.
>
> > What I would try is:
> >
> > acl not-me { ! 10/8; any; };
> > allow-update { ! not-me; key keyname; };
>
> Good idea.
>
> cricket
>
>
More information about the bind-users
mailing list