correct syntax for TSIG & IP restrictions for named-ACL versus just IP?

Sun Dec 5 17:10:44 UTC 2010

i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.

i'm trying to set up to use different TSIG keys with different
secondaries.

in my named.conf, i've

	...
	acl acl_slave_1 { 1.1.1.1; };
	acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
	...
	zone "test.com" {
	type master; file "/master/test.com.hosts";
	allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
	!{!acl_slave_2;}; key key-slave-2; }; };
	allow-update { none; };
	};
	...
	key "key-slave-1" { algorithm hmac-md5; secret "Cf...g=="; };
	key "key-slave-2" { algorithm hmac-md5; secret "rl...8=="; };

in this conf, IXFR to 1.1.1.1 with TSIG works as expected.  but, *NO*
IXFR occurs to any slave in acl_slave_2{}.

if, however, I change to

	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
	!{!acl_slave_2;}; key key-slave-2; }; };
	+++     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
	!{!2.2.2.2;}; key key-slave-2; }; };

IXFR to 1.1.1.1 & 2.2.2.2 both occur OK with TSIG.

also, with

	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
	!{!acl_slave_2;}; key key-slave-2; }; };
	---     allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
	acl_slave_2; };

IXFR to 1.1.1.1 with TSIG & to all slaves in acl_slave_2{}, without
TSIG, both occur OK.

what's the right syntax for enabling IXFR to the entire TSIG- &
IP-restricted set of hosts in acl_slave_2{}?