BIND9 Feature Request: inheritance-policy

[Tony Finch]

JW λ John Woodworth <jw at pcthink.com> wrote:

> Greetings, I would like to request a new feature which I hope will make
> management of the 'allow' match-lists a tad easier.In short, an option
> such as 'allow-transfer' in view or zone contexts could extend the
> match-list as defined in the options section.

You can sort of do what you want already, by defining named ACLs. ACLs can
refer to named ACLs: you can include a named ACL or exclude it. For
example, in my production config, I have some acl clauses roughly like the
ones outlined below.

I like named ACLs and named "masters" lists because they allow our config
generation scripts to use symbolic names to describe a zone's config:
query and xfer ACLs, upstream xfer sources, downstream notify targets. And
when I look at the generated config I see the same symbolic names, so I
have a reasonably consistent and simple vocabulary from the source of all
knowledge through to the run-time config. (And the logs when I have
persuaded the other end to do TSIG!)

acl cudn {
	# cambridge university data network address ranges
};

acl mythic {
	# mythic beasts xfer and auth servers
};

acl secondaries {
	cudn;
	mythic;
	# some xfers allowed by key instead of address
	key tsig-maths;
	key tsig-imperial;
};

zone cam.ac.uk {
	# blah blah
	allow-query { any; };
	allow-transfer { secondaries; };
};

zone private.cam.ac.uk {
	# etc usw
	allow-query { cudn; };
	allow-transfer { cudn; };
};

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
work to the benefit of all