Actually, to take this a step further, is there any remote possibility to combine this with update-policy as well?
I know both questions has been mentioned on the list before with varied answers but I wanted to raise it again since this was finally figured out. /Jonathan On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt <[EMAIL PROTECTED]> wrote: > > > allow-update { !{!10/8;any;}; key update-key; }; > > > > Wouldn't this still permit any client on the 10/8 subnet to update the > > zones? > > It's very confusing syntax, but no. > > You're probably thinking in boolean algebra (I did too, when I first > encountered this). If it were boolean algebra, you could redistribute > the negatives: "!{!10/8; any;}" becomes "{!!10/8; !any;}" and then > simplifies to "{10/8; none;}". > > But ACLs aren't boolean, so you can't do that. Each element has three > possible results not two: match and accept, match and reject, or "no > match", which means continue processing. > > When an ordinary ACL element matches and is negated (for example, the > element is "!10/8;" and the address is 10.0.0.1) that means "match and > reject". But if the match is inside of a *nested* ACL, then it's treated > differently: A negative result means "the nested ACL didn't match"--and > so you continue processing. > > So if you're checking address A against an ACL of one of the following > forms, these will be the results: > > { A; B; } == A is allowed, accept immediately > { { A; }; B; } == A is allowed, accept immediately > { !A; B; } == A is forbidden, reject immediately > { !{ A; }; B; } == A is forbidden, reject immediately > { { !A; }; B; } == A matched but was negated, try element B > { !{ !A; }; B; } == A matched but was negated, try element B > > Those last two lines there are confusingly similar (and, as written, > useless). The difference is what happens if you're checking an address > *other* than A, and something else in the nested ACL matches it. > > { { !A; any; }; B; } == any address other than A is accepted at once, > but A is only accepted if B matches too. > boolean translation: ((not A) or (A and B)) > > { !{ !A; any; }; B; } == any address other than A is *rejected* at > once, > but A is accepted as long as B matches too. > boolean translation: (A and B) > > Hope that's helpful. (*I* find it hard to keep this syntax straight, and I > wrote a big chunk of the code that implements it in BIND 9.5...) > > -- > Evan Hunt -- [EMAIL PROTECTED] > Internet Systems Consortium, Inc. >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users