nsupdate ACL based on a key AND ip-subnet
Chris Buxton
cbuxton at menandmice.com
Mon Nov 17 03:45:48 UTC 2008
On Nov 16, 2008, at 5:22 PM, Jonathan Petersson wrote:
>> allow-update { !{!10/8;any;}; key update-key; };
>
>
> Wouldn't this still permit any client on the 10/8 subnet to update
> the zones?
No. It says:
1. Deny anyone who isn't in 10/8.
2. Allow anyone using this key.
The first item in the list never says to allow 10/8, it just says to
deny everyone else. The processing therefore continues to the second
item; any request not matched by either rule is denied.
In other words, in ACL processing, "not no" != "yes".
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list