[an error occurred while processing this directive]

HP OpenVMS Systems Documentation
Content starts here >

Compaq TCP/IP Services for OpenVMS
Release Notes

Previous Contents

C.5.2 Address Match Lists

Address match lists are used primarily to determine access control for server operations. They are also used to define priorities for querying other name servers and to set the addresses on which the BIND server listens for queries. The following example shows the syntax of the address match list: 


address_match_list = address_match_list_element ; 
  [ address_match_list_element; ... ] 
address_match_list_element = [ ! ] (ip_address [/length] | 
   key key_id | acl_name | { address_match_list } )

The elements that constitute an address match list can be any of the following:

  • An IP address (IPv4 or IPv6)
  • An IP prefix (in the / notation)
  • A key ID, as defined by the key statement
  • The name of an address match list previously defined with the acl statement
  • A nested address match list enclosed in braces

Elements can be negated with a leading exclamation mark (!). The match list names any , none , localhost , and localnets are predefined. More information on those names can be found in the description of the acl statement (see Section C.5.3.1).

When a given IP address or prefix is compared to an address match list, the list is traversed in order until an element matches. The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or as a topology, and whether the element was negated. Specifically:

  • When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The following options use address match lists for this purpose:
    • allow-notify
    • allow-query
    • allow-transfer
    • allow-update
    • blackhole

    The listen-on option causes the server not to accept queries on any of the machine's addresses that do not match the list.
  • When used with the topology statement, a nonnegated match returns a distance based on its position on the list; the closer the match is to the start of the list, the shorter the distance between it and the server. A negated match is assigned the maximum distance from the server. If there is no match, the address gets a distance that is further than any nonnegated list element and closer than any negated element.

Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; , the 1.2.3.13 element is ignored, because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 corrects that problem by having 1.2.3.13 blocked by the negation, while all other 1.2.3.* hosts fall through.

C.5.3 Configuration File Format

A BIND configuration file consists of statements and comments. Statements end with a semicolon. Many statements contain a block of substatements that also end with a semicolon. Table C-3 describes the configuration statements.

Table C-3 BIND Name Server Configuration Statements
Statement Description
acl Specifies a named IP address matching list, for access control and other uses.
controls Declares control channels to be used by the rndc utility.
include Includes a file.
key Specifies key information for use in authentication and authorization using TSIG. See Section C.2.3 for more information.
logging Specifies what the server logs, and where the log messages are sent.
options Controls global server configuration options and sets defaults for other statements.
server Sets configuration options, and sets defaults for other statements.
trusted-keys Specifies trusted DNSSEC keys.
view Specifies a view.
zone Specifies a zone.

The following sample is a configuration file for a master server: 


 
options { 
        directory "SYS$SPECIFIC:[TCPIP$BIND]"; 
}; 
 
zone "FRED.PARROT.BIRD.COM" in { 
        type master; 
        file "FRED_PARROT_BIRD_COM.DB"; 
}; 
 
 
zone "0.0.127.IN-ADDR.ARPA" in { 
        type master; 
        file "127_0_0.DB"; 
}; 
 
zone "LOCALHOST" in { 
        type master; 
        file "LOCALHOST.DB"; 
}; 
 
zone "208.20.16.IN-ADDR.ARPA" in { 
        type master; 
        file "208_20_16_IN-ADDR_ARPA.DB"; 
}; 
 
zone "." in { 
        type hint; 
        file "ROOT.HINT"; 
};

The following comment styles are valid in a BIND configuration file. Comments can appear anywhere in the file.

  • C-style comments that start with /* and end with */
  • C++ style comments that start with // and continue to the end of the physical line
  • Shell or Perl-style comments that start with # and continue to the end of the physical line

Note
Do not use a semicolon (;) as a comment character in your configuration file. The semicolon indicates the end of a configuration statement; whatever follows is interpreted as the start of the next statement.

C.5.3.1 The ACL Statement

The acl statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: access control lists (ACLs).

Note
The access control lists used by the BIND service and OpenVMS ACLs are different structures with different purposes.

The acl statement is formatted as follows: 


acl acl-name { 
    address_match_list 
};

Note that the address match list must be defined with acl before it can be used elsewhere; forward references are not allowed.

The following ACLs are created automatically:

ACL Matches
any All hosts
none No hosts
localhost The IPv4 addresses of all interfaces on the system
localnets Any host on an IPv4 network for which the system has an interface

The ACLs localhost and localnets do not support IPv6. The ACL localhost