BIND9 Feature Request: inheritance-policy
Tony Finch
dot at dotat.at
Thu May 27 20:27:10 UTC 2021
JW λ John Woodworth <jw at pcthink.com> wrote:
> Greetings, I would like to request a new feature which I hope will make
> management of the 'allow' match-lists a tad easier.In short, an option
> such as 'allow-transfer' in view or zone contexts could extend the
> match-list as defined in the options section.
You can sort of do what you want already, by defining named ACLs. ACLs can
refer to named ACLs: you can include a named ACL or exclude it. For
example, in my production config, I have some acl clauses roughly like the
ones outlined below.
I like named ACLs and named "masters" lists because they allow our config
generation scripts to use symbolic names to describe a zone's config:
query and xfer ACLs, upstream xfer sources, downstream notify targets. And
when I look at the generated config I see the same symbolic names, so I
have a reasonably consistent and simple vocabulary from the source of all
knowledge through to the run-time config. (And the logs when I have
persuaded the other end to do TSIG!)
acl cudn {
# cambridge university data network address ranges
};
acl mythic {
# mythic beasts xfer and auth servers
};
acl secondaries {
cudn;
mythic;
# some xfers allowed by key instead of address
key tsig-maths;
key tsig-imperial;
};
zone cam.ac.uk {
# blah blah
allow-query { any; };
allow-transfer { secondaries; };
};
zone private.cam.ac.uk {
# etc usw
allow-query { cudn; };
allow-transfer { cudn; };
};
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
work to the benefit of all
More information about the bind-users
mailing list