> what's the right syntax for enabling IXFR to the entire TSIG- &
> IP-restricted set of hosts in acl_slave_2{}?
I haven't tested this, but I think it will do what you want:
allow-transfer {
{ !{ !1.1.1.1; any; }; key key1; };
{ !{ !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; key key2; };
};
If you want to use named ACLs, then I think you need to define them
backwards, to reject not accept, something like this:
# pass through any host except slave1 hosts
acl notslave1 { !1.1.1.1; any; };
# pass through any host except slave2 hosts
acl notslave2 { !2.2.2.2; !3.3.3.3; !4.4.4.4; any; };
allow-transfer {
{ !notslave1; key key1; };
{ !notslave2; key key2; };
none;
};
I wrote an explanation of BIND ACLs on this list a few years back that
you may find helpful in explaining the syntactic insanity:
http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
