ACL and keys
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Thu Aug 28 00:37:18 UTC 2003
> Forgive my boolean logic but
You are not dealing with boolean logic. You are dealing
with acls.
> (slaves OR tsig)
>
> is identical to
>
> (not (not(slaves)) OR tsig)
allow-transfer {
!notslaves; // REJECT everything *but* slaves.
// Only slaves are left at this point in time.
key tsigkey; // ACCEPT any requests with this signature.
// reject the rest.
};
>
> So I don't see how the statement equates to
>
> (Slaves AND slaves-with-tsig-key)
>
> > > Why can't you use
> > >
> > > allow-transfer ( slaves; key tsigkey;};
> > >
> >
> > That is allow "slaves" *or* allow "key tsigkey".
> >
> > > ?????
> > >
> > > As ! notslave == slaves
> >
> > acl slaves {
> > 194.170.1.11;
> > };
> >
> > acl notslaves {
> > !slaves; any;
> > };
> >
> > allow-transfer { !notslaves; key tsigkey;};
> >
> > This deny everyone but slaves then allow those with this key.
> >
> > Acls are parsed on a first match basis.
> >
> > Mark
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
> >
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list