[bind10-dev] ACL Syntax proposal

Evan Hunt each at isc.org
Fri May 27 22:08:55 UTC 2011

> I wrote a proposal how ACL syntax could look like. Could you please have
> a look at it and tell me if you think this would work, be friendly to
> users and usable?  Or if you see some minor glitches or think it's
> completely wrong?

I'm not sure boolean logic is quite the right approach here (and maybe it's
not what you had in mind, but the use of AND, OR, and NOT suggests that it

Intuitively, boolean expressions *seem* like a good approach, because
ultimately an ACL does return a yes-or-no answer--but the process of
getting there isn't quite what you'd expect.

Admittedly, I've had my mind twisted by working too closely with BIND 9
ACL syntax, which is... more than a bit weird.  They search for the first
match not the best match, and they use a kind of three-value logic instead
of two:  An ACL element can accept, reject, or fail to match (in which
case we move on to the next ACL element, until we find one that *does*
accept or reject, and then we stop looking).

Boolean expressions strike me as an imperfect fit in a couple of ways.
For example, does "ACCEPT": { "NOT": { "ip": "10/8" }} mean "reject any
address which is in 10/8" , or does it mean "accept any address which is
*not* in 10/8" ?  If an ACCEPT block and a REJECT block both matched a
query, which one would get priority?

I would suggest looking at how router firewall rules are configured for
guidance in this.  I don't know how Cisco and the like do it, but I've
used ipfw and (ugh) iptables, and like BIND 9 ACLs they also take a
first-match appraoch that concentrates on getting a yes/no answer as
quickly as possible rather than traversing a logic tree.


More information about the bind10-dev mailing list