ACL and keys
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Aug 29 23:51:17 UTC 2003
> So...do the ACL 'rules' read left to right ???
yes. (first match)
> DJ
>
> <Mark_Andrews at isc.org> wrote in message news:bijjcf$b0s$1 at sf1.isc.org...
> >
> > > Forgive my boolean logic but
> >
> > You are not dealing with boolean logic. You are dealing
> > with acls.
> >
> > > (slaves OR tsig)
> > >
> > > is identical to
> > >
> > > (not (not(slaves)) OR tsig)
> >
> > allow-transfer {
> > !notslaves; // REJECT everything *but* slaves.
> >
> > // Only slaves are left at this point in time.
> >
> > key tsigkey; // ACCEPT any requests with this signature.
> >
> > // reject the rest.
> >
> > };
> > >
> > > So I don't see how the statement equates to
> > >
> > > (Slaves AND slaves-with-tsig-key)
> > >
> > > > > Why can't you use
> > > > >
> > > > > allow-transfer ( slaves; key tsigkey;};
> > > > >
> > > >
> > > > That is allow "slaves" *or* allow "key tsigkey".
> > > >
> > > > > ?????
> > > > >
> > > > > As ! notslave == slaves
> > > >
> > > > acl slaves {
> > > > 194.170.1.11;
> > > > };
> > > >
> > > > acl notslaves {
> > > > !slaves; any;
> > > > };
> > > >
> > > > allow-transfer { !notslaves; key tsigkey;};
> > > >
> > > This deny everyone but slaves then allow those with this key.
> > > >
> > > > Acls are parsed on a first match basis.
> > > >
> > > > Mark
> > > > --
> > > > Mark Andrews, Internet Software Consortium
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
> > > >
> > >
> > >
> > >
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
> >
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list