JW λ John Woodworth <j...@pcthink.com> wrote:
> Greetings, I would like to request a new feature which I hope will make
> management of the 'allow' match-lists a tad easier.In short, an option
> such as 'allow-transfer' in view or zone contexts could extend the
> match-list as defined in the options section.
You can sort of do what you want already, by defining named ACLs. ACLs can
refer to named ACLs: you can include a named ACL or exclude it. For
example, in my production config, I have some acl clauses roughly like the
ones outlined below.
I like named ACLs and named "masters" lists because they allow our config
generation scripts to use symbolic names to describe a zone's config:
query and xfer ACLs, upstream xfer sources, downstream notify targets. And
when I look at the generated config I see the same symbolic names, so I
have a reasonably consistent and simple vocabulary from the source of all
knowledge through to the run-time config. (And the logs when I have
persuaded the other end to do TSIG!)
acl cudn {
# cambridge university data network address ranges
};
acl mythic {
# mythic beasts xfer and auth servers
};
acl secondaries {
cudn;
mythic;
# some xfers allowed by key instead of address
key tsig-maths;
key tsig-imperial;
};
zone cam.ac.uk {
# blah blah
allow-query { any; };
allow-transfer { secondaries; };
};
zone private.cam.ac.uk {
# etc usw
allow-query { cudn; };
allow-transfer { cudn; };
};
Tony.
--
f.anthony.n.finch <d...@dotat.at> https://dotat.at/
work to the benefit of all_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
