nsupdate ACL based on a key AND ip-subnet

Jonathan Petersson jpetersson at garnser.se
Mon Nov 17 19:53:05 UTC 2008 

Yeah, kinda makes sense, thanks!

/Jonathan

On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt <Evan_Hunt at isc.org> wrote:

> > >  allow-update { !{!10/8;any;}; key update-key; };
> >
> > Wouldn't this still permit any client on the 10/8 subnet to update the
> > zones?
>
> It's very confusing syntax, but no.
>
> You're probably thinking in boolean algebra (I did too, when I first
> encountered this).  If it were boolean algebra, you could redistribute
> the negatives: "!{!10/8; any;}" becomes "{!!10/8; !any;}" and then
> simplifies to "{10/8; none;}".
>
> But ACLs aren't boolean, so you can't do that.  Each element has three
> possible results not two: match and accept, match and reject, or "no
> match", which means continue processing.
>
> When an ordinary ACL element matches and is negated (for example, the
> element is "!10/8;" and the address is 10.0.0.1) that means "match and
> reject".  But if the match is inside of a *nested* ACL, then it's treated
> differently:  A negative result means "the nested ACL didn't match"--and
> so you continue processing.
>
> So if you're checking address A against an ACL of one of the following
> forms, these will be the results:
>
>    {     A;    B; }   == A is allowed, accept immediately
>    {  {  A; }; B; }   == A is allowed, accept immediately
>    {    !A;    B; }   == A is forbidden, reject immediately
>    { !{  A; }; B; }   == A is forbidden, reject immediately
>    {  { !A; }; B; }   == A matched but was negated, try element B
>    { !{ !A; }; B; }   == A matched but was negated, try element B
>
> Those last two lines there are confusingly similar (and, as written,
> useless).  The difference is what happens if you're checking an address
> *other* than A, and something else in the nested ACL matches it.
>
>    {  { !A; any; }; B; }  == any address other than A is accepted at once,
>                              but A is only accepted if B matches too.
>                              boolean translation: ((not A) or (A and B))
>
>    { !{ !A; any; }; B; }  == any address other than A is *rejected* at
> once,
>                              but A is accepted as long as B matches too.
>                              boolean translation: (A and B)
>
> Hope that's helpful.  (*I* find it hard to keep this syntax straight, and I
> wrote a big chunk of the code that implements it in BIND 9.5...)
>
> --
> Evan Hunt -- evan_hunt at isc.org
> Internet Systems Consortium, Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081117/97f85903/attachment.html>

More information about the bind-users mailing list