ACL and keys

dj drnj at freemail.redherring.co.uk
Mon Sep 1 18:10:37 UTC 2003 

You learn something new every day !!

Thanks


<Mark_Andrews at isc.org> wrote in message news:biophd$1q47$1 at sf1.isc.org...
>
> > So...do the ACL 'rules' read left to right ???
>
> yes. (first match)
>
> > DJ
> >
> > <Mark_Andrews at isc.org> wrote in message news:bijjcf$b0s$1 at sf1.isc.org...
> > >
> > > > Forgive my boolean logic but
> > >
> > > You are not dealing with boolean logic.  You are dealing
> > > with acls.
> > >
> > > > (slaves OR tsig)
> > > >
> > > > is identical to
> > > >
> > > > (not (not(slaves)) OR tsig)
> > >
> > > allow-transfer {
> > > !notslaves;   // REJECT everything *but* slaves.
> > >
> > > // Only slaves are left at this point in time.
> > >
> > > key tsigkey;  // ACCEPT any requests with this signature.
> > >
> > > // reject the rest.
> > >
> > > };
> > > >
> > > > So I don't see how the statement equates to
> > > >
> > > > (Slaves AND slaves-with-tsig-key)
> > > >
> > > > > > Why can't you use
> > > > > >
> > > > > > allow-transfer ( slaves; key tsigkey;};
> > > > > >
> > > > >
> > > > > That is allow "slaves" *or* allow "key tsigkey".
> > > > >
> > > > > > ?????
> > > > > >
> > > > > > As ! notslave == slaves
> > > > >
> > > > > acl slaves {
> > > > >         194.170.1.11;
> > > > > };
> > > > >
> > > > > acl notslaves {
> > > > > !slaves; any;
> > > > > };
> > > > >
> > > > > allow-transfer { !notslaves; key tsigkey;};
> > > > >
> > > > This deny everyone but slaves then allow those with this key.
> > > > >
> > > > > Acls are parsed on a first match basis.
> > > > >
> > > > > Mark
> > > > > --
> > > > > Mark Andrews, Internet Software Consortium
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > PHONE: +61 2 9871 4742                 INTERNET:
Mark.Andrews at isc.org
> > > > >
> > > >
> > > >
> > > >
> > > --
> > > Mark Andrews, Internet Software Consortium
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> > >
> >
> >
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>

More information about the bind-users mailing list