Re: Problem with ACL in named.conf
On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors during start-up. I'm opening a bug ticket for you. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net' (its IP address is 101.1.2.1), then if I put the 'also-notify { 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when the zone file is modified, notify messages will be sen to 101.1.1.1, 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right? Yes (except for the master listed in the SOA record), and unless you have 'notify explicit;' set. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar. That said, this is a very annoying problem that I wish there was a better solution for. I used to build my conf files with m4 to work around this, but that was a big hammer for a very large installation. You might be able to do something simpler by putting notes in the conf to remind people who update 1 area to also update the other. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On Thu, 30 Aug 2012, GS Bryan wrote: also-notify { alladdr; }; This uses an ip_addr instead of an address_match_list. Some versions of named-checkconf will tell you expected IP address. /etc/named.conf:111: masters alladdr not found I can't reproduce your problem. What version of BIND are you running? (I am surprised it didn't log the version.) Also please consider using named-checkconf in your testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
In message CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=q...@mail.gmail.com , GS Bryan writes: I tried to use the acl statement in my named.conf file, but I have a hard time making it work. In my named.conf file, I've put these acl statements in these formats (made up IP addresses mind you):- -- // Individual ACL list acl addr1 { 11.22.33.44; 12.23.34.45; }; acl addr2 { 22.33.44.55; 5.4.3.2; 99.0.0.0; }; acl addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; // Nested ACLs list acl alladdr { addr1; addr2; addr3; }; Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, as shown below, BIND will fail to start:- also-notify does not take a ACL (it is not a access control). It will take a named masters list. --- zone example.net { type master; file examplenet.conf; allow-transfer { alladdr; }; also-notify { alladdr; }; key-directory keys/examplenet/; inline-signing yes; auto-dnssec maintain; }; --- Here is the log:- -- BIND 9 is maintained by Internet Systems Consortium, Inc. (ISC), a non-profit 501(c)(3) public-benefit corporation. Support and training for BIND 9 are available at https://www.isc.org/support adjusted limit on open files from 1024 to 1048576 found 1 CPU, using 1 worker thread using 1 UDP listener per interface using up to 4096 sockets loading configuration from '/etc/named.conf' reading built-in trusted keys from file '/etc/named.iscdlv.key' using default UDP/IPv4 port range: [1024, 65535] using default UDP/IPv6 port range: [1024, 65535] listening on IPv4 interface lo, 127.0.0.1#53 listening on IPv4 interface venet0:0, redacted#53 listening on IPv6 interface lo, ::1#53 listening on IPv6 interface venet0, redacted#53 generating session key for dynamic DNS sizing zone task pool based on 10 zones /etc/named.conf:111: masters alladdr not found loading configuration: not found exiting (due to fatal error) - From examples I read from the Internet, I don;t think I have done anything wrong. If I put all the IP addresses from addr1, addr2 and addr3 into the allow-transfer and also-notify statements, BIND will start normally without problems. A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. The acl addr3 you have above is short hand for: acl addr3 { 111.3.4.5/32; 2001:3000::1/128; 122.3.4.5/32; 2001:3000::2/128; }; You could define master lists as use those. e.g. master addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; you can even tell named to use specify keys and ports when talking to the server. master addr3 { 111.3.4.5 port 333 key ; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; Mark Thanks for reading. -- Bryan S.G. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 08/29/2012 04:02 PM, Mark Andrews wrote: A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. Mark, I understand the behind the scenes reasons why the 2 things are handled differently. But I still think it would be awesome to have a new kind of list that accepts bare IP addresses, and can be used inside both allow-transfer and also-notify. It's a really common issue to need to configure the same list for both, and having to do it twice in the first place, and then keep it updated twice down the road, really screams out for a programmatic solution. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net' (its IP address is 101.1.2.1), then if I put the 'also-notify { 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when the zone file is modified, notify messages will be sen to 101.1.1.1, 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right? -- Bryan S.G. On Thu, Aug 30, 2012 at 9:42 AM, Doug Barton do...@dougbarton.us wrote: On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar. That said, this is a very annoying problem that I wish there was a better solution for. I used to build my conf files with m4 to work around this, but that was a big hammer for a very large installation. You might be able to do something simpler by putting notes in the conf to remind people who update 1 area to also update the other. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. On Thu, Aug 30, 2012 at 9:59 AM, Jeremy C. Reed jr...@isc.org wrote: On Thu, 30 Aug 2012, GS Bryan wrote: also-notify { alladdr; }; This uses an ip_addr instead of an address_match_list. Some versions of named-checkconf will tell you expected IP address. /etc/named.conf:111: masters alladdr not found I can't reproduce your problem. What version of BIND are you running? (I am surprised it didn't log the version.) Also please consider using named-checkconf in your testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users