key and ip adress

Fri Feb 16 23:12:27 UTC 2001

Cricket Liu wrote:
> 
> > Thanks for the advice!  What I MEANT to ask, though, was how to best do
> > what Mark suggested - deny updates from everybody else and require a key
> > from whatever isn't denied, our own server(s).  The only thing that comes
> > to mind involves a lot of "not" lines before the key requirement.
> 
> Yeah, I think that's true.
> 
> > Is that the only way, or is there another way to phrase the addresses to
> > include, for example, blocks of class A addresses to keep our match list a
> > reasonable size?  Let's say I'd like to block everything but 10/8
> > addresses, then accept by key.
> 
> Wouldn't
> 
> acl "not-10" {
>     ! 10/8;
>     key-name;
> };
> 
> do what you want?
> 
> cricket

But that would deny updates from 10/8 and he said he wanted to block
everything but 10/8.

What I would try is:

acl not-me { ! 10/8; any; };
allow-update { ! not-me; key keyname; };

I'm presuming that a negated match in a nested acl is treated like no
match at all. Which is what 
lib/dns/acl.c from 9.1.1rc1 says.

What still worries me is this statement from 9.1.1rc1 doc/misc/options:
  @         Semantics of certain pathological address match lists, in
            particular those involving double negation, have changed.
            The new semantics are generally safer....

So maybe the solution is different in BIND8 and BIND9. I certainly hope
acl semantics will be documented in more detail in BIND9. I hate it when
I have to read the source :-)

-- 
Alexander Ottl
Media Professionals AG           Tel.: +49 (89) 51554-169
Bayerstrasse 21                  Fax : +49 (89) 51554-199
D-80335 Muenchen - Germany       http://www.media-professionals.de