[bind10-dev] ACL Syntax proposal
Michal 'vorner' Vaner
michal.vaner at nic.cz
Fri Jun 3 09:27:12 UTC 2011
Hello
On Thu, Jun 02, 2011 at 06:10:36PM -0700, JINMEI Tatuya / 神明達哉 wrote:
> Maybe this is an unfair example that is specifically advantageous for
> ordering-based rules, or maybe that's because I'm "too familiar with
Some other example could be, we have 3 trusted peers, each one with IP
address and TSIG key, we allow to do anything, private subnets where we allow
recursion and we allow authoritative queries from everywhere.
So, we start ‒ there are 3 „groups“, these would form an or. One would be the
authoritative query, which would look like (for example):
{
"rd-bit": false,
"opcode": "query"
}
Another one would be the recursive one:
{
"opcode": "query",
"ip": ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"]
}
And a block for each of the peers, like:
{
"ip": "1.2.3.4",
"tsig": "first-key"
}
{
"ip": "5.6.7.8",
"tsig": "second-key"
}
...
And as they are independent, we put all of these into one big OR.
With the first-match, we still need some way of having and operator. Because we
need to do things like
* 1.2.3.4 and tsig → accept
* 5.6.7.8 and tsig → accept
* query and 10/8 → accept
* query and 192.168/16 → accept
* query and rd-bit = false → accept
* reject
This takes me more work to think about the ordering and I'm not completely
shielded from boolean expressions either.
With regards
--
If it works, fix it.
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110603/1bbaaa11/attachment.bin>
More information about the bind10-dev
mailing list