nsupdate ACL based on a key AND ip-subnet

Chris Buxton cbuxton at menandmice.com
Mon Nov 17 03:45:48 UTC 2008


On Nov 16, 2008, at 5:22 PM, Jonathan Petersson wrote:
>> allow-update { !{!10/8;any;}; key update-key; };
>
>
> Wouldn't this still permit any client on the 10/8 subnet to update  
> the zones?

No. It says:

1. Deny anyone who isn't in 10/8.
2. Allow anyone using this key.

The first item in the list never says to allow 10/8, it just says to  
deny everyone else. The processing therefore continues to the second  
item; any request not matched by either rule is denied.

In other words, in ACL processing, "not no" != "yes".

Chris Buxton
Professional Services
Men & Mice




More information about the bind-users mailing list