correct syntax for TSIG & IP restrictions for named-ACL versus just IP?
Evan Hunt
each at isc.org
Sun Dec 5 20:57:46 UTC 2010
> what's the right syntax for enabling IXFR to the entire TSIG- &
> IP-restricted set of hosts in acl_slave_2{}?
I haven't tested this, but I think it will do what you want:
allow-transfer {
{ !{ !1.1.1.1; any; }; key key1; };
{ !{ !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; key key2; };
};
If you want to use named ACLs, then I think you need to define them
backwards, to reject not accept, something like this:
# pass through any host except slave1 hosts
acl notslave1 { !1.1.1.1; any; };
# pass through any host except slave2 hosts
acl notslave2 { !2.2.2.2; !3.3.3.3; !4.4.4.4; any; };
allow-transfer {
{ !notslave1; key key1; };
{ !notslave2; key key2; };
none;
};
I wrote an explanation of BIND ACLs on this list a few years back that
you may find helpful in explaining the syntactic insanity:
http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list