Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
41424344454647484950
Chapter 6. BIND 9 Configuration Reference
6.1.1. Address Match Lists
6.1.1.1. Syntax
address_match_list = address_match_list_element ;
[ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] |
key key_id | acl_name | { address_match_list } )
6.1.1.2. Definition and Usage
Address match lists are primarily used to determine access control for various server operations. They are
also used to define priorities for querying other nameservers and to set the addresses on which named
will listen for queries. The elements which constitute an address match list can be any of the following:
an IP address (IPv4 or IPv6)
an IP prefix (in the ‘/’-notation)
a key ID, as defined by the key statement
the name of an address match list previously defined with the acl statement
a nested address match list enclosed in braces
Elements can be negated with a leading exclamation mark (‘!’) and the match list names "any," "none,"
"localhost" and "localnets" are predefined. More information on those names can be found in the
description of the acl statement.
The addition of the key clause made the name of this syntactic element something of a misnomer, since
security keys can be used to validate access without regard to a host or network address. Nonetheless, the
term "address match list" is still used throughout the documentation.
When a given IP address or prefix is compared to an address match list, the list is traversed in order until
an element matches. The interpretation of a match depends on whether the list is being used for access
control, defining listen-on ports, or as a topology, and whether the element was negated.
When used as an access control list, a non-negated match allows access and a negated match denies
access. If there is no match, access is denied. The clauses allow-notify, allow-query, allow-transfer,
allow-update and blackhole all use address match lists this. Similarly, the listen-on option will cause the
server to not accept queries on any of the machine’s addresses which do not match the list.
When used with the topology clause, a non-negated match returns a distance based on its position on the
list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A
negated match will be assigned the maximum distance from the server. If there is no match, the address
45