Requested Update to ACL/Transfers

[sangdrax8]

It seems right now that ACL's are automatically added to the allowed transfers. It would be great if the ACL's just created ACL's, and another global variable was used for the allowed transfers, much like recursion and other options. This would allow the definition of multiple different ACL's and the ability to use those ACL's in any of the allow-* options.

[bertvv]

Ok, so that would mean a separate variable bind_allow_transfer which is a list just like bind_allow_query and maybe a boolean bind_allow_transfer_to_acls that, when true, implements the curren behaviour? Does that make sense?

[sangdrax8]

I don't know that I see much need to create the bind_allow_transfer_to_acls. You can avoid maintaining that logic and let configurations simply put the name of the ACL they created in any of the allow sections where they would like to use the ACL.

I was specifically looking to make different ACL's for

• query
• recursion
• transfer

I can use the ACL's name in each of these locations, once the transfer one exists as a variable, and doesn't contain all other ACL's created.

[bertvv]

Ok, that makes sense, I think I understand now!

[rowanthorpe]

There is one case where bind_allow_transfer_to_acls is a useful level of specificity - to distinguish between it and bind_allow_transfer_to_keys. I just opened PR #170 which includes configurably enabling tsig-based signed transfers. The Bind default handling is that for every allow_transfer { [SECONDARY-IP]; } unsigned transfer is allowed to that specific secondary, and for every allow_transfer { key [TSIG-KEY]; } signed transfer is allowed to whomever provides the key in the request. Important to note is that if someone configures allow_transfer { [IP]; key [KEY]; } and the secondary at IP also has KEY configured for transfer then both signed and unsigned transfers are possible, so to limit to only signed transfer requires not including the IP in allow_transfer.