BIND9 Feature Request: inheritance-policy

Tony Finch dot at
Thu May 27 20:27:10 UTC 2021

JW λ John Woodworth <jw at> wrote:

> Greetings, I would like to request a new feature which I hope will make
> management of the 'allow' match-lists a tad easier.In short, an option
> such as 'allow-transfer' in view or zone contexts could extend the
> match-list as defined in the options section.

You can sort of do what you want already, by defining named ACLs. ACLs can
refer to named ACLs: you can include a named ACL or exclude it. For
example, in my production config, I have some acl clauses roughly like the
ones outlined below.

I like named ACLs and named "masters" lists because they allow our config
generation scripts to use symbolic names to describe a zone's config:
query and xfer ACLs, upstream xfer sources, downstream notify targets. And
when I look at the generated config I see the same symbolic names, so I
have a reasonably consistent and simple vocabulary from the source of all
knowledge through to the run-time config. (And the logs when I have
persuaded the other end to do TSIG!)

acl cudn {
	# cambridge university data network address ranges

acl mythic {
	# mythic beasts xfer and auth servers

acl secondaries {
	# some xfers allowed by key instead of address
	key tsig-maths;
	key tsig-imperial;

zone {
	# blah blah
	allow-query { any; };
	allow-transfer { secondaries; };

zone {
	# etc usw
	allow-query { cudn; };
	allow-transfer { cudn; };

f.anthony.n.finch  <dot at>
work to the benefit of all

More information about the bind-users mailing list