RE: Negation in view match-clients ACL doesn't work?

[Darcy Kevin (FCA)]

The short answer is that that is how address-match-lists work: a non-negated 
match allows access, a negated match denies access, and if there is *no* match, 
access is denied. The only real reason to use a negated match, therefore, is 
when what you're negating is a subset of something later in the 
address-match-list.

You do realize, I hope, that you could just change the order of the views and 
then you wouldn't need any form of negation (earlier one matches 127.0.0.1, 
later one matches "any").

                                                                        - Kevin

-----Original Message-----
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN
Sent: Tuesday, August 04, 2015 4:19 PM
To: bind-users@lists.isc.org
Subject: Negation in view match-clients ACL doesn't work?

Folks,

        This has been a real mystery and haven't been able to find a good 
explanation for the behavior. For a simple example I have two views setup and I 
want to differentiate access based on queries originating from 127.0.0.1.

        In my FIRST ATTEMPT I just negated the IP address, but that didn't 
work.  The first view never matched.   In the SECOND ATTEMPT I simply added 
"any" AFTER the negation  and that worked?
        
        I read the ARM, can someone explain?  Many Thanks!!!!!

FIRST ATTEMPT:  Fails - no clients can see external_zones.

view "default-test" {
     match-clients { ! 127.0.0.1; };  // thought this would match anyone but 
127.0.0.1

     zone "." {
        type hint;
        file "db.cache";
     };
     zone "0.0.127.in-addr.arpa" {
        type master;
        file "db.127.0.0.0";
     };

     include "external_zones.txt";
};

view "default" {
     match-clients { any; };

     zone "." {
        type hint;
        file "db.cache";
     };
     zone "0.0.127.in-addr.arpa" {
        type master;
        file "db.127.0.0.0";
     };

     include "internal_zones.txt";  
};

SECOND ATTEMPT: Succeeds, only external clients can see external_zones.

view "default-test" {
     match-clients { ! 127.0.0.1;  any; };  // Why must I add any?
......

----------------    
John Murtari - jm5...@att.com
Ciberspring
office: 315-944-0998
cell: 315-430-2702

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users