On Sun, 16 Nov 2008, Howard Chu wrote:
But there is no way to tell that he can only set a pTRRecord within 192.0.2.128/25, therefore my inquiry on that topic.
And as I said before, subnets and domains are orthogonal. There is nothing in DNS to accommodate subnet notation, so you're still on your own here. A regex would probably be the best bet. Using hexadecimal RDNs would simplify things too.
dn: dc=03,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home
access to dn.regex="dc=[89abcdef].,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home" by foo
This might be a situation where you could steal some of the ideas from RFC2317 so as to avoid the expensive ACL. Consider the example:
$ORIGIN 2.0.192.in-addr.arpa. @ IN SOA my-ns.my.domain. hostmaster.my.domain. (...) ;... ; <<0-127>> /25 0/25 NS ldap1-name.server. 0/25 NS ldap2-name.server. ; 1 CNAME 1.0/25.2.0.192.in-addr.arpa.
then just configure ldap{1,2}-name.server with a comparatively cheap
access to dn.subtree="dc=0/25,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa,o=home" ...
The downfall (to my reading) is that you won't actually *stop* somebody from writing, say, 195.2.0.192.in-addr.arpa. to that subtree. But there's only so many stupid user tricks you can avoid, and it's got to be a lot easier on administration than the long regexps.