ACL and keys

dj drnj at freemail.redherring.co.uk
Fri Aug 29 19:16:03 UTC 2003


So...do the ACL 'rules' read left to right ???

DJ

<Mark_Andrews at isc.org> wrote in message news:bijjcf$b0s$1 at sf1.isc.org...
>
> > Forgive my boolean logic but
>
> You are not dealing with boolean logic.  You are dealing
> with acls.
>
> > (slaves OR tsig)
> >
> > is identical to
> >
> > (not (not(slaves)) OR tsig)
>
> allow-transfer {
> !notslaves;   // REJECT everything *but* slaves.
>
> // Only slaves are left at this point in time.
>
> key tsigkey;  // ACCEPT any requests with this signature.
>
> // reject the rest.
>
> };
> >
> > So I don't see how the statement equates to
> >
> > (Slaves AND slaves-with-tsig-key)
> >
> > > > Why can't you use
> > > >
> > > > allow-transfer ( slaves; key tsigkey;};
> > > >
> > >
> > > That is allow "slaves" *or* allow "key tsigkey".
> > >
> > > > ?????
> > > >
> > > > As ! notslave == slaves
> > >
> > > acl slaves {
> > >         194.170.1.11;
> > > };
> > >
> > > acl notslaves {
> > > !slaves; any;
> > > };
> > >
> > > allow-transfer { !notslaves; key tsigkey;};
> > >
> > > This deny everyone but slaves then allow those with this key.
> > >
> > > Acls are parsed on a first match basis.
> > >
> > > Mark
> > > --
> > > Mark Andrews, Internet Software Consortium
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> > >
> >
> >
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>




More information about the bind-users mailing list