[bind10-dev] ACL Syntax proposal

Michal 'vorner' Vaner michal.vaner at nic.cz
Sat Jun 4 10:38:40 UTC 2011


Hello

On Fri, Jun 03, 2011 at 12:30:41PM -0700, JINMEI Tatuya / 神明達哉 wrote:
> {
>   "DENY-IF": {
> 	"OR": [
> 		{ "ip": "192.168.0.0/16" },
> 		{ "ACCEPT-IF": {"ip": "::/0"}},
> 		{ "ip": "10.0.0.0/8" },
> 		{ "ip": "172.16.0.0/12" }
> 	]
>   }
> }

This is not, because both DENY-IF and ACCEPT-IF live outside of the FIRST-MATCH
operator. They are not standalone, ACL types (or, well, we could define them,
but I've no idea what they _should_ mean). They are just instructions for the
FIRST-MATCH they appear in, FIRST-MATCH defines them only inside itself.

> Specific examples instead of formal (boring) definitions are rather
> helpful when we try to understand the concept, but once this phase is
> done and when we want to know how exactly we should implement it,
> (IMO) we need more precise, formal definition.  Otherwise, we can
> always come up with deviant examples like the above one and wonder
> whether it's okay or not forever.

I still don't know how to write this more formally than I did.

> Basically (one form of) what I meant is how some common BIND 9 ACL
> definitions would specifically be represented in the proposed format,
> just so that we can have a clearer image of what we will be expected
> to do in the implementation phase.
> 
> In BIND 9, we write:
> options {
> ...
> 	allow-query { 127.0.0.1; ::1; localnets; };
> };

I don't know what options would we use to actually use the ACL, but something
like:
"allow-query": { "OR": [{"ip": ["127.0.0.1", "::1"]}, "localnets"]}

> zone "example.com" {
>  ...
>  allow-transfer { key "key.example.com"; 2001:db8:1::/48; };
> };

"allow-transfer": { "OR": [{"tsig": "key.example.com"}, {"ip": "2001::db8:1::/48" }]}

With regards

-- 
You can't have everything... where would you put it?
    -- Steven Wright

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110604/86db67f2/attachment.bin>


More information about the bind10-dev mailing list