[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Matching rule against IP subnet

On Sun, 16 Nov 2008, Howard Chu wrote:

But there is no way to tell that he can only set a pTRRecord within, therefore my inquiry on that topic.

And as I said before, subnets and domains are orthogonal. There is nothing in DNS to accommodate subnet notation, so you're still on your own here. A regex would probably be the best bet. Using hexadecimal RDNs would simplify things too.

dn: dc=03,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home

access to dn.regex="dc=[89abcdef].,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home" by foo

This might be a situation where you could steal some of the ideas from RFC2317 so as to avoid the expensive ACL. Consider the example:

   $ORIGIN 2.0.192.in-addr.arpa.
   @       IN      SOA     my-ns.my.domain. hostmaster.my.domain. (...)
   ;  <<0-127>> /25
   0/25            NS      ldap1-name.server.
   0/25            NS      ldap2-name.server.
   1               CNAME   1.0/

then just configure ldap{1,2}-name.server with a comparatively cheap

access to dn.subtree="dc=0/25,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa,o=home" ...

The downfall (to my reading) is that you won't actually *stop* somebody from writing, say, to that subtree. But there's only so many stupid user tricks you can avoid, and it's got to be a lot easier on administration than the long regexps.