In message <CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=q...@mail.gmail.com> , GS Bryan writes: > I tried to use the acl statement in my named.conf file, but I have a > hard time making it work. In my named.conf file, I've put these acl > statements in these formats (made up IP addresses mind you):- > > ---------- > // Individual ACL list > > acl addr1 { > 11.22.33.44; > 12.23.34.45; > }; > > acl addr2 { > 22.33.44.55; > 5.4.3.2; > 99.0.0.0; > }; > > acl addr3 { > 111.3.4.5; > 2001:3000::1; > 122.3.4.5; > 2001:3000::2; > }; > > > // Nested ACLs list > > acl alladdr { > addr1; > addr2; > addr3; > }; > > ------------ > > Then when I put the 'alladdr' thing in my 'allow-transfer' and > 'also-notify' arguments, as shown below, BIND will fail to start:-
also-notify does not take a ACL (it is not a access control). It will take a named "masters" list. > ----------- > > zone "example.net" { > type master; > file "examplenet.conf"; > allow-transfer { "alladdr"; }; > also-notify { "alladdr"; }; > key-directory "keys/examplenet/"; > inline-signing yes; > auto-dnssec maintain; > }; > > ------- > > Here is the log:- > > ------ > ---------------------------------------------------- > BIND 9 is maintained by Internet Systems Consortium, > Inc. (ISC), a non-profit 501(c)(3) public-benefit > corporation. Support and training for BIND 9 are > available at https://www.isc.org/support > ---------------------------------------------------- > adjusted limit on open files from 1024 to 1048576 > found 1 CPU, using 1 worker thread > using 1 UDP listener per interface > using up to 4096 sockets > loading configuration from '/etc/named.conf' > reading built-in trusted keys from file '/etc/named.iscdlv.key' > using default UDP/IPv4 port range: [1024, 65535] > using default UDP/IPv6 port range: [1024, 65535] > listening on IPv4 interface lo, 127.0.0.1#53 > listening on IPv4 interface venet0:0, <redacted>#53 > listening on IPv6 interface lo, ::1#53 > listening on IPv6 interface venet0, <redacted>#53 > generating session key for dynamic DNS > sizing zone task pool based on 10 zones > /etc/named.conf:111: masters "alladdr" not found > loading configuration: not found > exiting (due to fatal error) > ----- > > >From examples I read from the Internet, I don;t think I have done > anything wrong. If I put all the IP addresses from addr1, addr2 and > addr3 into the allow-transfer and also-notify statements, BIND will > start normally without problems. A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. The acl addr3 you have above is short hand for: acl addr3 { 111.3.4.5/32; 2001:3000::1/128; 122.3.4.5/32; 2001:3000::2/128; }; You could define master lists as use those. e.g. master addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; you can even tell named to use specify keys and ports when talking to the server. master addr3 { 111.3.4.5 port 333 key xxxx; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; Mark > Thanks for reading. > -- > Bryan S.G. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users