HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)
n
named.conf(4) named.conf(4)
Address Match Lists Syntax
address_match_list3D address_match_list_element
;
[ address_match_list_element
; ... ]
address_match_list_element3D
[ ! ](ip_address [/length]|
key key_id | acl_name |{ address_match_list
})
Address Match Lists Definition and Usage
Address match lists are primarily used to determine access control for various server operations. They
are also used to define priorities for querying other nameservers and to set the addresses on which
named will listen for queries. The elements which constitute an address match list may be any of the fol-
lowing:
• an IP address (IPv4 or IPv6)
• an IP prefix (in the ‘/’-notation)
• a key ID, as defined by the
key statement
• the name of an address match list previously defined with the
acl statement
• a nested address match list enclosed in braces
Elements can be negated with a leading exclamation mark (
!). The match list names of any, none,
localhost, and localnets are predefined. For more information on these match list names, refer to
the acl statement section. The addition of the key clause made the name of this syntactic element some-
thing of a misnomer, since security keys can be used to validate access without regard to a host or net-
work address. However, the term "address match list" is still being used.
When a given IP address or prefix is compared to an address match list, the list is traversed in order until
an element matches. The interpretation of a match depends on whether the list is being used for access
control, defining
listen-on ports and whether the element was negated. When used as an access con-
trol list, a non-negated match allows access and a negated match denies access. If there is no match,
access is denied.
The clauses
allow-notify, allow-query, allow-transfer
, allow-update, and blackhole
which can be specified in the options and/or zone use the address match lists. Similarly, the
listen-on
option causes the server not to accept queries on any of the machine’s addresses which do not match the
list.
Because of the first-match aspect of the algorithm, an element that defines a subset of another element in
the list should come before the broader element, regardless of whether either is negated. For example, in
1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is not of any use because the algorithm will match any
lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by
having 1.2.3.13 blocked by the negation but all other 1.2.3.* hosts fall through.
Comment Syntax
Comments in BIND 9.2 configuration file can be written in C, C++, or shell/perl constructs.
WARNING: Unlike a zone file, you cannot use semicolon (;) character to start a comment in the BIND
9.2 configuration file. The semicolon indicates the end of a configuration statement.
Configuration File Grammar
A BIND 9.2 configuration file consists of statements and comments. Statements end with a semicolon.
Statements and comments are the only elements that can appear without enclosing braces. Many state-
ments contain a block of substatements, which are terminated with a semicolon. The following state-
ments are supported:
acl defines a named IP address matching list, for access control and other uses.
controls declares control channels to be used by the rndc utility.
include includes a file.
key specifies key information for use in authentication and authorization using TSIG.
logging specifies what the server logs, and where the log messages are sent.
options controls global server configuration options and sets defaults for other statements.
server sets certain configuration options on a per-server basis.
HP-UX 11i Version 2: September 2004 − 2 − Hewlett-Packard Company Section 4−−177