ACL and keys

[dj]

"Ladislav Vobr" <lvobr at ies.etisalat.ae> wrote in message
news:bi5hgg$euh$1 at sf1.isc.org...
> thanks for the info, I found the link with Mark's comment. Kevin posted
> a confusing one, where is no "any" statement in the notslaves acl, which
> is crutial. btw very elegent solution. I knew address_match_lists are
> processed in order, but that acl are as well, this a little hidden :-)
>
> posting the full link for everybody who is searching.
>
> http://marc.theaimsgroup.com/?l=bind-users&m=100142567531837&w=2
>
> my tested config now
>
> acl slaves {
>          194.170.1.11;
> };
>
> include "sharedsecret.txt";
>
> acl notslaves { ! slaves; any; };
>
> options {
>         directory "/usr/local/dns/ns0.bind-8.3.6/zones";
>         datasize 20M;
>         listen-on { 194.170.1.12; };
>         allow-transfer { ! notslaves; key tsigkey.; };
>
> and only 194.170.1.11 and only with TSIG key is allowed.
>
> Ladislav
>
>
> Jim Reid wrote:
>
> >>>>>>"Ladislav" == Ladislav Vobr <lvobr at ies.etisalat.ae> writes:
> >>>>>>
> >>>>>>
> >
> >    Ladislav> aha, I basically in this example want only 194.170.1.11
> >    Ladislav> but only when it has a valid key, then nobody
> >    Ladislav> else.... with or without keys or with the same or
> >    Ladislav> different ip....
> >
> >An example of how to combine IP addresses with a TSIG key for access
> >control was posted to this list a few months ago. This explained how
> >to provide an ACL that requires the client to have an acceptable IP
> >address AND a valid TSIG key. Consult the list archives.
> >
> >
> >
>
>
Why can't you use

allow-transfer ( slaves; key tsigkey;};

?????

As ! notslave == slaves