Module bind9_acl 

Strict validator for BIND9 address_match_list entries used in allow-query, allow-transfer, and related ACL directives.

CRD-supplied values flow directly into named.conf. Without validation a malicious or compromised CRD author could close the enclosing { … } block and append arbitrary BIND9 directives. This module implements a strict whitelist of the address-match-list forms bindy supports, rejecting anything else with a structured error that reconcilers propagate to the resource status.

Accepted forms (optionally prefixed with ! for negation):

• keywords: any, none, localhost, localnets
• IPv4 address with optional /prefix (0..=32)
• IPv6 address with optional /prefix (0..=128)
• key <name> where <name> matches [A-Za-z0-9._-]{1,253}

Enums

AclError

Constants

MAX_ACL_ENTRY_LEN

Maximum accepted length of a single ACL entry, in bytes. Any reasonable address-match token is well under this; the cap is defensive against pathologically large CRD inputs.

Functions

build_acl_list

Validate each entry in entries and return the ; -joined payload that goes between the { } of an allow-query / allow-transfer block.

validate_acl_entry

Validate a single address_match_list entry.