On the appliance, only certain operations support access control. You can apply one named ACL or multiple anonymous ACEs to each operation. However, you cannot apply multiple named ACLs or use a combination of named ACLs and ACEs. Note that each operation supports different access control types. For example, DNS zone transfers support IPv4 and IPv6 addresses and networks as well as TSIG key based ACEs, while AAAA filtering supports only IPv4 addresses and networks.
When you apply a named ACL to an operation, the appliance validates to ensure that the named ACL contains ACEs that are supported by the operation. The appliance also validates any new ACEs that you add to an existing named ACL. If a named ACL contains access control types that an operation does not support, the appliance displays an error message and you cannot apply that named ACL to the operation. Thus when defining a named ACL for a specific operation or applying an existing named ACL, ensure that it contains access control types that the operation supports. Table 8.1 lists The following table lists access control types for NIOS operations that support access control.Anchor
Table 8.1
Operations that Support Access Control
...
| Note | ||
|---|---|---|
| ||
* Zone transfers for Microsoft servers do not support named ACLs. However, you can still use individual ACEs to configure access control. For more information about how to configure zone transfer settings for Microsoft servers, see see Setting Zone Properties. In In addition, the DNSone 2.x TSIG key supports only the "Allow" permission. You cannot change "Allow" to "Deny." |
...
- Define a named ACL, as described in in Defining Named ACLs.
- Validate the named ACL, as described in in Validating Named ACLs.
- Apply the named ACL to specific operations, as described in in Applying Access Control to Operations.