[bind10-dev] ACL Syntax proposal
Michal 'vorner' Vaner
michal.vaner at nic.cz
Sat Jun 4 10:38:40 UTC 2011
Hello
On Fri, Jun 03, 2011 at 12:30:41PM -0700, JINMEI Tatuya / 神明達哉 wrote:
> {
> "DENY-IF": {
> "OR": [
> { "ip": "192.168.0.0/16" },
> { "ACCEPT-IF": {"ip": "::/0"}},
> { "ip": "10.0.0.0/8" },
> { "ip": "172.16.0.0/12" }
> ]
> }
> }
This is not, because both DENY-IF and ACCEPT-IF live outside of the FIRST-MATCH
operator. They are not standalone, ACL types (or, well, we could define them,
but I've no idea what they _should_ mean). They are just instructions for the
FIRST-MATCH they appear in, FIRST-MATCH defines them only inside itself.
> Specific examples instead of formal (boring) definitions are rather
> helpful when we try to understand the concept, but once this phase is
> done and when we want to know how exactly we should implement it,
> (IMO) we need more precise, formal definition. Otherwise, we can
> always come up with deviant examples like the above one and wonder
> whether it's okay or not forever.
I still don't know how to write this more formally than I did.
> Basically (one form of) what I meant is how some common BIND 9 ACL
> definitions would specifically be represented in the proposed format,
> just so that we can have a clearer image of what we will be expected
> to do in the implementation phase.
>
> In BIND 9, we write:
> options {
> ...
> allow-query { 127.0.0.1; ::1; localnets; };
> };
I don't know what options would we use to actually use the ACL, but something
like:
"allow-query": { "OR": [{"ip": ["127.0.0.1", "::1"]}, "localnets"]}
> zone "example.com" {
> ...
> allow-transfer { key "key.example.com"; 2001:db8:1::/48; };
> };
"allow-transfer": { "OR": [{"tsig": "key.example.com"}, {"ip": "2001::db8:1::/48" }]}
With regards
--
You can't have everything... where would you put it?
-- Steven Wright
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110604/86db67f2/attachment.bin>
More information about the bind10-dev
mailing list