using acls in also-notify doesn't work -- alternative?
Barry Margolin
barmar at alum.mit.edu
Fri Nov 5 13:10:05 UTC 2004
In article <cmfesq$2odg$1 at sf1.isc.org>, Phil Dibowitz <phil at usc.edu>
wrote:
> On Fri, Nov 05, 2004 at 12:16:13AM -0500, Barry Margolin wrote:
> > In article <cmeios$9qp$1 at sf1.isc.org>, Phil Dibowitz <phil at usc.edu>
> > wrote:
> >
> > > Thanks. That'll work (well, I'm going to try it, anyway). But more
> > > fundamentally I'm wondering _why_ acls don't work there. Should they? Is
> > > this
> > > a bug/feature?
> > >
> > > Cause that's kinda what the acls are there for, no?
> >
> > No. ACLs are like wildcards -- they can be used to match against. You
> > can put networks in ACLs, but it's unlikely that you would want to
> > notify all the machines on a network.
> But you can do stuff like:
>
> acl foo { 1.2.3.4; 1.2.3.5; };
> ...
> allow-query { foo; };
>
> So what's the difference between that and:
>
> acl foo { 1.2.3.4; 1.2.3.5; };
> ...
> also-notify { foo; };
>
> ? They seem the same to me, yet the first one works and the second one
> doesn't.
What if the ACL contained 1.2.3.0/24? That's a wildcard that matches
all 1.2.3.x addresses. The server can easily match incoming addresses
against that, but it's not as sensible to send notifications to all
those addresses.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list