address_match_list = 1*address_match_element address_match_element = [ "!" ] (ip_address / ip_prefix / acl_name / address_match_list) ";"
Address match lists are lists of elements. The elements can be any of the following:
The ACLs "any", "none", "localhost" and "localnets" are
predefined. More information can be found in the description of the
Elements can be negated with a leading "!".
When a given IP address or prefix is compared to an address match list, the list is traversed in order and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.
When used as an access control list, a non-negated match allows
access and a negated match denies access. If there is no match,
access is denied. The clauses
allow-update all use
address match lists like this. Similarly, the
clause can use negation to define local addresses which should not be
used to accept nameserver connections.
When used with the
topology clause, a non-negated
match returns a distance based on its postion on the list (the closer
the match is to the start of the list, the shorter the distance is
between it and the server). A negated match will be assigned the
maximum distance from the server. If there is no match, the address
will get a distance which is further than any non-negated list
element, and closer than any negated element.
Because of the first-match aspect of the algorithm, an element that
defines a subset of another element in the list should come before the
broader element, regardless of whether either is negated. For
1.2.3/24; ! 220.127.116.11; the 18.104.22.168
element is completely useless, because the algorithm will match
any lookup for 22.214.171.124 to the 1.2.3/24 element. Using
! 126.96.36.199; 1.2.3/24 fixes that problem by
having 188.8.131.52 blocked by the negation but all other 1.2.3.* hosts
[ BIND Config. File | BIND Home | ISC ]