nsupdate ACL based on a key AND ip-subnet

[Evan Hunt]

> IIRC update-policy cannot be used in congestion with the allow-update
> statement.

My bad--you're right.  There's code I'd never noticed before that says
allow-update will be ignored if update-policy is set.  Whoops.

(Oddly, the check only applies when both of them are defined in the
zone itself.  You can put "allow-updates" in the view options and
"update-policy" in the zone, and named won't complain about it...
but it also won't work the way you want it to.)

I don't know why it was implemented this way--there's no protocol reason
I can see.  (There may be other reasons I don't know about.)  It's probably
not a high enough priority for ISC to devote engineering resources to it at
this time, but if someone submitted a patch that added an ACL check to the
update-policy syntax, I'm sure we'd consider it.

--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.