key and ip adress

Ian Watts ian at radix.net
Sun Feb 18 00:07:55 UTC 2001


Ah, the old double-negative...  Thanks for the suggestion.  It works, too,
and makes it significantly simpler to limit updates to a single IP address
AND require a key.  So we have something like:

acl not-local { ! 10.9.8.7; any; };
allow-update { ! not-local; key key_name; };

rather than:

acl not-local {
	! 0/5;
	! 8/7;
	! 11/8;
	! 12/6;
	! 16/4;
	! 32/3;
 	! 64/2;
	! 128/1;
};
allow-update { not-local; key key_name; };

and that's only limiting it to the whole 10/8; limiting to a single
address would make this a lot less tidy than I prefer.  

I only tried this on BIND 8. 


-- Ian



On Fri, 16 Feb 2001, Cricket Liu wrote:

> 
> > > > Is that the only way, or is there another way to phrase the addresses
> to
> > > > include, for example, blocks of class A addresses to keep our match
> list a
> > > > reasonable size?  Let's say I'd like to block everything but 10/8
> > > > addresses, then accept by key.
> > >
> > > Wouldn't
> > >
> > > acl "not-10" {
> > >     ! 10/8;
> > >     key-name;
> > > };
> > >
> > > do what you want?
> >
> > But that would deny updates from 10/8 and he said he wanted to block
> > everything but 10/8.
> 
> Yes, I misinterpreted what Ian wrote.
> 
> > What I would try is:
> >
> > acl not-me { ! 10/8; any; };
> > allow-update { ! not-me; key keyname; };
> 
> Good idea.
> 
> cricket
> 
> 





More information about the bind-users mailing list