address_match_list = 1*address_match_element
address_match_element = [ "!" ] (ip_address / ip_prefix / acl_name / address_match_list) ";"
Address match lists are lists of elements. The elements can be any of the following:
acl
statment.The ACLs "any", "none", "localhost" and "localnets" are
predefined. More information can be found in the description of the
acl
statement.
Elements can be negated with a leading "!".
When a given IP address or prefix is compared to an address match list, the list is traversed in order and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.
When used as an access control list, a non-negated match allows
access and a negated match denies access. If there is no match,
access is denied. The clauses allow-query
,
allow-transfer
and allow-update
all use
address match lists like this. Similarly, the listen-on
clause can use negation to define local addresses which should not be
used to accept nameserver connections.
When used with the topology
clause, a non-negated
match returns a distance based on its postion on the list (the closer
the match is to the start of the list, the shorter the distance is
between it and the server). A negated match will be assigned the
maximum distance from the server. If there is no match, the address
will get a distance which is further than any non-negated list
element, and closer than any negated element.
Because of the first-match aspect of the algorithm, an element that
defines a subset of another element in the list should come before the
broader element, regardless of whether either is negated. For
example, in 1.2.3/24; ! 1.2.3.13;
the 1.2.3.13
element is completely useless, because the algorithm will match
any lookup for 1.2.3.13 to the 1.2.3/24 element. Using
! 1.2.3.13; 1.2.3/24
fixes that problem by
having 1.2.3.13 blocked by the negation but all other 1.2.3.* hosts
fall through.
[ BIND Config. File | BIND Home | ISC ]