Maintained by: NLnet Labs

unbound.conf(5) access-control suggestions

W.C.A. Wijngaards
Tue Sep 22 15:05:58 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Patrik,

On 05/08/15 20:14, Patrik Lundin via Unbound-users wrote:
> Hello,
> 
> Following the recent man page modifications I was reminded of
> another part of the manual that I am curios if it could be modifed
> a bit. This is the part about the access-control statement. I have
> two suggestions:
> 
> #1. Mention how the rules are evaluated. Is it first match wins,
> last match wins, or most specific match wins? This is important
> when configuring overlapping rules (because only a specific subset
> should have allow_snoop for example). My testing points towards
> the most-specific-match option.

Yes. Documented that.

> 
> #2. Mention what the behaviour is for clients that do not match a 
> configured ACL. While it is stated that the unconfigured default
> is "allow localhost and refuse the rest", it is not explicitly
> stated what happens to unmatched clients when once an ACL is
> configured.

The "deny" action is taken if there are no rules.  Documented that.

Best regards, Wouter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWAVI2AAoJEJ9vHC1+BF+NVKQP/0XnpPn+1vqQjPsyl5S/Zmf2
5NnJP+p39neY+54QnUD7Ss37wzxLi/YdK3VE/KUeUeDrhoT8sH8vSGXJIfO8pwH2
gdd98xacv2XGyXo5/uWgc2xCPHGs2s/N2GI4UfEHGm+E36aa5dg+pWBR+6nE29rR
DOFumveYk9uXqD7A59AF7Xo7z16zNnHT7/29ZANAO9lPTcFZujrPpWcDaxLG7+ly
UP3Aa5lh+AcDbj0XkoyxNurAoxNsIJXEfPqnKj8/hOrHr0LIzjdya98yLd2fWR/M
fM5zdxGF+EwpJzaPH1c58GdxSUmU2dq1x5jTUehJufKR6pPmB/o0qmUmXHq6+1Uc
WZs78YhmEyR42DId8aNLKJzVG6JuPBesocDznlYNobrnGrtPf6occ9Zd3HbtHfhJ
uORNHEwoplODOatsUq8MwodJq+9jleHc+LrUoMb3EtPmkrZc1qePt4sTjVQ3yxR0
yZvuDBXJV53eT6ZqCHT3R1/QiYhAIc4cEqeQqGs1STEcHwJmmV9rVak+nWR1wav9
YYI55LDx/PrqtHje1I963l1GK8UAwIrHgzmlKPoXQnHb63dv7zzOA+VB87a6DAcM
idbe/1tw6uDH3vszjAIvQj94kpCUtJ5eplaFNE9/Iq9lGiLX5wOUKBwjO4/ch2K1
JdwTE3sGwyZe5HwNSZ2+
=KHiu
-----END PGP SIGNATURE-----