Hello,
I was wondering if anyone could provide feedback on whether the
following: newsyslog.conf file is correct to allow for daily log
rotation for my Bind 9.16.30 logs ?
My currently logging settings in: named.conf are:
...
logging {
channel chn_file_queries {
As I initially thought that bind worked with the normal notation of a
subnet, I did the configuration as I initially posted.
Now with your explanations I see that it is as Greg commented. This is just
pattern matching.
Thank you all!!!
On Wed, Aug 24, 2022 at 1:23 PM Ondřej Surý wrote:
> The
The original problem was that BIND 9.16 now requires use of CIDR blocks rather
than using IP addresses in CIDR notation. Using arbitrary IP address to specify
CIDR block doesn’t make much sense and is prone to errors - when you see
10.10.1.0/23 it’s quite hard to tell what was the original
> Such use case (authoritative data) is fine, I was merely speaking about
> caching server before.Understood. Interesting. Was my understanding of DynDB
> correct? It reads from a backend DB into memory, to eliminate the latency?In
> my proposed "workaround" (a hidden primary server with DLZ
> On 24 Aug 2022, at 16.52, Greg Choules
> wrote:
>
> Hi Sten.
> That is absolutely what you do *not* want to do.
>
> Writing it out in binary might help. /23 means the following:
> 1110
>
> '1' bits mean, test an incoming address against the corresponding bit
Hi Sten.
That is absolutely what you do *not* want to do.
Writing it out in binary might help. /23 means the following:
1110
'1' bits mean, test an incoming address against the corresponding bit from
the address in the mask.
'0' bits mean, don't test an incoming
I think you want something like this:
(!10.60.0.0; !10.60.0.255; 10.60.0.0/24)
First deny the two addresses you want not to be part of the ACL and then accept
the whole network.
First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected before
the next are tested.
Thanks
Sten
>
> No, it's not. This is ACL specification, not a interface/network
> configuration.
Ok.
> No, I've already provided you with a correct answer what 10.60.0.0/23 means
> in terms of range, why do you insist on this?
ok.
> I think others have already answered that, I would be just repeating
> On 24. 8. 2022, at 15:58, Elias Pereira wrote:
>
> hello Ondrej,
>
> Not completely wrong, because 255 is the broadcast.
No, it's not. This is ACL specification, not a interface/network configuration.
> For a better understanding, then it would be Available range 10.60.0.1 to
>
hello Ondrej,
Not completely wrong, because 255 is the broadcast.
For a better understanding, then it would be Available range 10.60.0.1 to
10.60.1.254.
Correctly specified range (without address/host bits) does takes the whole
> range.
Like this 10.60/23; ?
On Wed, Aug 24, 2022 at 10:33 AM
> On 24. 8. 2022, at 15:26, Elias Pereira wrote:
>
>
> Hello Greg,
>
> Why doesn't bind work with networks/subnets in the conventional way?
It does.
> If the private subnet is 10.60.0.0/23, then it means that the address range
> is 10.60.0.1 to 10.60.1.254.
That’s wrong. 10.60.0.0/23
Hello Greg,
Why doesn't bind work with networks/subnets in the conventional way?
If the private subnet is 10.60.0.0/23, then it means that the address range
is 10.60.0.1 to 10.60.1.254.
How do I configure this ACL in named.conf.local so that it takes the whole
range?
On Wed, Aug 24, 2022 at
On 24/08/2022 14:16, Elias Pereira wrote:
Hi Elias,
Oh, sorry... :D
here it is
# cat named.conf.local
# ACL das redes internas
# Ultima modificação: 24/08/2022
acl "internal" {
10.60.0.1/23;
This is the issue. The address part of the prefix should be the lowest
address in that prefix. If
Hi Elias.
I can't say why this might have worked with 9.11 (if it did - I'd be
surprised). But you should not/cannot define ACLs like this:
10.60.0.1/23;
/23 means consider only the first 23 bits of the available 32 bits of an
IPv4 address and ignore the rest (in this context. Please don't someone
I changed all the networks from x.x.x.1/x to x.x.x.0/x and it seems to me
that it now works.
On Wed, Aug 24, 2022 at 9:16 AM Elias Pereira wrote:
> Oh, sorry... :D
>
> here it is
>
> # cat named.conf.local
> # ACL das redes internas
> # Ultima modificação: 24/08/2022
>
> acl "internal" {
>
Oh, sorry... :D
here it is
# cat named.conf.local
# ACL das redes internas
# Ultima modificação: 24/08/2022
acl "internal" {
10.60.0.1/23;
10.10.1.1/24;
10.10.2.1/25;
10.10.3.1/25;
10.10.4.1/25;
10.10.5.1/25;
10.51.0.1/23;
10.10.6.1/25;
10.10.7.1/26;
172.20.0.1/26;
10.50.0.1/23;
10.40.0.1/22;
On 24/08/2022 14:08, Elias Pereira wrote:
Hi Elias,
I upgraded my AD, debian 10 to 11 and bind upgraded to version 9.16.27.
Now I get the address/prefix length mismatch error in name.conf.local.
In my first AD that I have not upgraded yet, it is working correctly with
the same settings in
Hello,
I upgraded my AD, debian 10 to 11 and bind upgraded to version 9.16.27.
Now I get the address/prefix length mismatch error in name.conf.local.
In my first AD that I have not upgraded yet, it is working correctly with
the same settings in version 9.11.x.
What is the problem with version
> On 24. 8. 2022, at 11:01, hamid wrote:
>
> > Perhaps, describing the use case first (why do you want to use MongoDB at
> > all) might have the benefit of not wasting time on your end.
>
> Forgot to answer this, my use case would be the same as someone who uses a
> SQL DB backend I imagine:
> Perhaps, describing the use case first (why do you want to use MongoDB at
> all) might have the benefit of not wasting time on your end.Forgot to answer
> this, my use case would be the same as someone who uses a SQL DB backend I
> imagine: to be able to configure multiple BIND endpoints,
> BIND does have dyndb support, since 9.11.
> As far as I know, though, the only two dyndb modules in existence are
> the bind-dyndb-ldap modiule that was written by Red Hat as part of
> FreeIPA, and a toy module used for testing. If you were interested in
> writing your MongoDB module for dyndb
> On 24. 8. 2022, at 8:48, Evan Hunt wrote:
>
>> In the absence of that, is caching from DLZ a possible configuration
>> on a single BIND server?
>
> Not DLZ, no. And I'm not sure dyndb can be used for the cache database,
> either; do you know something about it that I don't?
>
> It would
> Regarding the child process(es), does named create one child process,
> or can it be multiple processes? I assume each process loads the
> shared objects for itself, so only one call to dns_dlzcreate per
> process?
I'm pretty sure it's called only once on startup, after daemonizing,
and again
23 matches
Mail list logo