named.conf.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

named.conf(4) named.conf(4)

(BIND 9.3)

used.

path_name A quoted string that is used as a path name, such as

"zones/master/my.test.domain"

size_spec One of the following:

number A decimal number, optionally be followed by a scaling factor:

K or k for kilo-

bytes,

M or m for megabytes, and G

or g for gigabytes, which scale by 1024,

1024*1024, and 1024*1024*1024 respectively. The value must be represent-

able as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive).

default Uses the limit that was in force when the server was started.

unlimited

Requests unlimited use, or the maximum available amount. This is the best

way to set a really large number.

yes_or_no Either

yes or no. The words

true and false and the numbers 1 and 0 are also

accepted, respectively.

Address Match List Syntax

An address_match_list has the format:

address_match_list_element ;

[ address_match_list_element ; ]...

An address_match_list_element has the format:

[ ! ](ip_addr

| ip_preﬁx

| key key_id

| acl_name

| { address_match_list } )

Address Match List Deﬁnition and Usage

Address match lists are primarily used to determine access control for various server operations. They

are also used to deﬁne priorities for querying other name servers and to set the addresses on which

named will listen for queries. The elements which constitute an address match list may be any of the fol-

lowing:

• An IP address (IPv4 or IPv6).

• An IP preﬁx (in the

/-notation).

• A key ID, as deﬁned by the

key statement.

• The name of an address match list previously deﬁned with an

acl statement.

• A nested address match list enclosed in braces.

Elements can be negated with a leading exclamation mark (

!). The match list names of any, none,

localhost, and localnets are predeﬁned. For more information on these match list names, refer

to The acl Statement section. The addition of the key clause made the name of this syntactic element

something of a misnomer, since security keys can be used to validate access without regard to a host or

network address. However, the term address match list is still being used.

When a given IP address or preﬁx is compared to an address match list, the list is traversed in order

until an element matches. The interpretation of a match depends on whether the list is being used for

access control, deﬁning

listen-on ports and whether the element was negated. When used as an

access control list, a nonnegated match allows access and a negated match denies access. If there is no

match, access is denied.

The clauses

allow-notify, allow-query, allow-transfer, allow-update, allow-

update-forwarding, and blackhole, which can be speciﬁed in the options and/or zone state-

ments use the address match lists. Similarly, the listen-on option causes the server not to accept

queries on any of the machine’s addresses which do not match the list.

Because of the ﬁrst-match aspect of the algorithm, an element that deﬁnes a subset of another element

in the list should come before the broader element, regardless of whether either is negated. For exam-

ple, in

1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is of no use because the algorithm will match

any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 ﬁxes that problem

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010