[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Matching rule against IP subnet
On Sun, 16 Nov 2008, Howard Chu wrote:
But there is no way to tell that he can only set a pTRRecord within
192.0.2.128/25, therefore my inquiry on that topic.
And as I said before, subnets and domains are orthogonal. There is nothing in
DNS to accommodate subnet notation, so you're still on your own here. A regex
would probably be the best bet. Using hexadecimal RDNs would simplify things
too.
dn: dc=03,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home
access to
dn.regex="dc=[89abcdef].,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home" by foo
This might be a situation where you could steal some of the ideas from
RFC2317 so as to avoid the expensive ACL. Consider the example:
$ORIGIN 2.0.192.in-addr.arpa.
@ IN SOA my-ns.my.domain. hostmaster.my.domain. (...)
;...
; <<0-127>> /25
0/25 NS ldap1-name.server.
0/25 NS ldap2-name.server.
;
1 CNAME 1.0/25.2.0.192.in-addr.arpa.
then just configure ldap{1,2}-name.server with a comparatively cheap
access to dn.subtree="dc=0/25,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa,o=home" ...
The downfall (to my reading) is that you won't actually *stop* somebody
from writing, say, 195.2.0.192.in-addr.arpa. to that subtree. But there's
only so many stupid user tricks you can avoid, and it's got to be a lot
easier on administration than the long regexps.