Re: acl in also-nofify

K. Bins wrote: > Randy, > > ra...@psg.com (Randy Bush) wrote: > > > can i use an acl{} or other macro in `also-notify`? i have a bunch of > > zones where i want the same `also-notify` list. > > Been running into the same issue and tried to find out. My master lists &g

Re: acl in also-nofify

Randy, ra...@psg.com (Randy Bush) wrote: > can i use an acl{} or other macro in `also-notify`? i have a bunch of > zones where i want the same `also-notify` list. Been running into the same issue and tried to find out. My master lists and acls are identical as yours seem to be. I've bee

acl in also-nofify

have spent a bit searching but no result. so ... can i use an acl{} or other macro in `also-notify`? i have a bunch of zones where i want the same `also-notify` list. thanks randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds

Re: acl type construct for update-policy

On 11/10/2021 6:25 AM, Giddings, Bret wrote: Is there any other facility for including effectively the same grant statements within multiple zones? I am not aware of any -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov

acl type construct for update-policy

Hello, I want to use the same update-policy grant statements multiple times in different zones and would therefore prefer to use something like an ACL. It doesn’t appear to be the case that you can create something like acl “FOO” { grant EXAMPLE.COM krb5-self . A ; grant * tcp-self . PTR(1

Re: Syntax for ECS ACL Entry

; The ECS option is still supported in dig and mdig >> via the +subnet option, and can be parsed and logged >> when received by named, but it is no longer used >> for ACL processing. The "

Re: Syntax for ECS ACL Entry

) the ECS to you, that works great, but the plumbing into the acl is what is needed to serve up a separate view by source client. Being realistic, this is not a large deployment, if it's an edge case then it is surely not worth anyone's time to add support back in. Thank you again

Re: Syntax for ECS ACL Entry

On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote: > Thank you, in my searching I failed to come across that. > > Do you know if it's been replaced by something more "practical to > deploy"? I found some discussion regarding support for "The PROXY > Protocol"

Re: Syntax for ECS ACL Entry

oy) has been removed. The ECS option is still supported in dig and mdig via the +subnet option, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The &q

Re: Syntax for ECS ACL Entry

The ECS option is still supported in dig and mdig via the +subnet option, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The "geoip-use-ecs" option

Re: Syntax for ECS ACL Entry

. -Ryan On 9/2/21 10:06 AM, Ryan McGuire wrote: I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a view. The views are working well, and the ECS is read by bind9 (see log below), but I can't seem to find a syntax for adding an ecs entry into an acl. Here is what I've tried

Syntax for ECS ACL Entry

I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a view. The views are working well, and the ECS is read by bind9 (see log below), but I can't seem to find a syntax for adding an ecs entry into an acl. Here is what I've tried: acl "filtered" {   192.168.0.90;   19

Re: GeoIP ACL

On Sun, Apr 25, 2021 at 01:47:31PM +0530, Sachchidanand Upadhyay via bind-users wrote: > I am using geoip based ACL to restrict traffic. Now I want to allow all > country traffic except two or three, like i want to allow all traffic > except country A, B and C. > > Can anyone

GeoIP ACL

Hi, I am using geoip based ACL to restrict traffic. Now I want to allow all country traffic except two or three, like i want to allow all traffic except country A, B and C. Can anyone give an example to achieve the same? BR, Sachchidanand

Re: Does bind9 support adding acl and view through commands, not by updating config file?

On Thu, Apr 15, 2021 at 03:35:38PM +0800, Zhengyu Pan wrote: > I want to implement intelligent DNS through bind9. I need to add a custom > line(IP address ranges) to bind9 using acl and view when add a user. > Because when add a tenant, i need to define a new acl and view. I don't > wa

Re:Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?

>do you mean, the same domains with different content, depending on clients' >IPs? That's common multiple-view setup >(nothing special or intelligent). Yes, I will create a view and acl for every client. Because every client has the unique IP address. >Why? Do you have that

Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?

Ps? Maybe they could use local DNS server talking to your DNS server using TSIG, and instead of IPs you'd define TSIG keys. So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"? I'm afraid for now there's no way

Re:Re: Does bind9 support adding acl and view through commands, not by updating config file?

The views and ACLS are added frequently. So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"? Updating config file frequently may affect other zones in this dns server. At 2021-04-15 15:08:26, "Matus UHLAR - f

Re: Does bind9 support adding acl and view through commands, not by updating config file?

On 15.04.21 15:35, Zhengyu Pan wrote: I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file

Does bind9 support adding acl and view through commands, not by updating config file?

Hi, I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file frequently. Does bind9 support

Re: Bind 9.11 question (ACL ecs )

You use the "ecs" key word like this. acl example { ecs 10.0.0.0/8; }; view ecs-net-10-only { match-clients { example; }; }; Also using colour or fonts is not a good way to highlight what

Re: Bind 9.11 question (ACL ecs )

query was > received, enabling > authoritative servers to give different answers to the same resolver for > different resolver clients. > > > > *An ACL containing an element of the form ecs prefix will match if a > request arrives in containing* > *an ECS option encoding a

Bind 9.11 question (ACL ecs )

for different resolver clients. An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Address

Re: acl

On 8 October 2016 at 09:57, Pol Hallen <bin...@fuckaround.org> wrote: > 192.168.1/24 is not a valid netmask >> > > huh? > In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) > and so on... You're confusing network configuration with ACL

Re: defines ip to acl

And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. sure! :-) thanks Pol ___ Please visit https://lists.isc.org/mailman

RE: defines ip to acl

And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. - Kevin -Original Message

Re: defines ip to acl

Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } thanks guys

RE: defines ip to acl

? :-) - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol Hallen Sent: Monday, October 17, 2016 2:37 PM To: bind-users@lists.isc.org Subject: defines ip to acl Hello all :-) I need to setup 2 kind

Re: defines ip to acl

Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } On 2016-10-17, 13:41, "bind-

defines ip to acl

Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks

Re: ACL

I think what you are looking for is: acl test0 { !192.168.1.50/32; 192.168.1.0/24; }; http://jodies.de/ipcalc is a good resource for checking. (As was mentioned by Reindl...) Learning basic sub-netting of IP addresses (Both IPv4 and IPv6) takes time but it's necessary for DNS configuration

Re: acl

On 8 October 2016 at 14:14, Pol Hallen <bin...@fuckaround.org> wrote: > acl test0 { !192.168.1.50/24; 192.168.1/24;}; acl test0 { !192.168.1.50; 192.168.1.0/24;}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr

Re: acl

192.168.1/24 is not a valid netmask huh? In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) and so on... hint: using /24 everywhere is nonsense why? My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host) thanks Pol

Re: acl

Am 08.10.2016 um 15:14 schrieb Pol Hallen: Hi all :-) can someone advice me about a fully howto / handbook to understand ACL? I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host: acl test0 { !192.168.1.50/24; 192.168.1/24;}; 192.168.1/24 is not a valid netmask

acl

Hi all :-) can someone advice me about a fully howto / handbook to understand ACL? I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host: acl test0 { !192.168.1.50/24; 192.168.1/24;}; thanks for help! Pol ___ Please visit https

Re: Reload only ACL

On Tue, Apr 26, 2016 at 10:22 AM, Ali Jawad <alijaw...@gmail.com> wrote: > Hi Bob > I did have a look at > http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , > and while in theory it can be used in a way similar to ACL I cant see how > it accommodat

Re: Reload only ACL

Hi Bob I did have a look at http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , and while in theory it can be used in a way similar to ACL I cant see how it accommodates for faster changes, would you please elaborate ? On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rh

Re: Reload only ACL

> > either public or private zone, > > Rather than the tool writing an ACL for bind, can the tool instead > reconfigure the user's local workstation dns settings to point to one of > two different (sets of) bind servers? One serves the public zone, one > serves the private zone. >

Re: Reload only ACL

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote: > based on a user tool the users "hundreds in corporate environment" get > either public or private zone, Rather than the tool writing an ACL for bind, can the tool instead reconf

Re: Reload only ACL

On 25/04/16 22:23, Ali Jawad wrote: Hi Ali Jawad, > I do have a very specific requirement for private/public zones and based on > a user tool the users "hundreds in corporate environment" get either public > or private zone, the tool simply writes to an ACL file, my problem

Reload only ACL

Hi I do have a very specific requirement for private/public zones and based on a user tool the users "hundreds in corporate environment" get either public or private zone, the tool simply writes to an ACL file, my problem is that the only way I found that does not flush the cache of

Re: Database driven ACL

On Mon, Feb 29, 2016 at 04:11:03PM -0500, Alan Clegg wrote: > Would also be cool to have a meta-zone or type (overlay similar to RPZ > perhaps?) that could be used to configure DNS options. > > Then your existing DNS tools could act as your management interface. Stay tuned for 9.11, which will

Re: Database driven ACL

On 2/29/16, 4:04 PM, "/dev/rob0" wrote: >On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote: >> Is there a mature/tested method of loading ACLs through a DB query >> instead of editing the config file or reading/writing into a

Database driven ACL

Hi Is there a mature/tested method of loading ACLs through a DB query instead of editing the config file or reading/writing into a text file ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

Re: Negation in view match-clients ACL doesn't work?

). - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN Sent: Tuesday, August 04, 2015 4:19 PM To: bind-users@lists.isc.org Subject: Negation in view match-clients ACL

Dynamic ACL

and a default ACL - Each ACL has its own zone file , users get served based on Geo location. If the users are not part of any geo location they are served the default ACL and zone files. - For a few hundred users I want to asign their IPs to specific Geo locations even

Re: Dynamic ACL

different. Here is my scenario and I would appreciate if you could advice me. - I do have 6 different Geo ACLs and a default ACL - Each ACL has its own zone file , users get served based on Geo location. If the users are not part of any geo location they are served

Re: dynamic update of split view acl

Hi Matt, in my understanding, rndc reload zone in view reloads the zone file only, not the configuration where the matched-clients { } statement is listed. So, you'll have to run a full config reload if you change the matched-clients { } list. I just wonder why you want to move a client's ip

dynamic update of split view acl

I'm running BIND 9.9.5-3 on Ubuntu 14.04.1. I'm trying to figure out how to change the match-clients prefixes in a view without having to restart BIND or do full config reload. My actual BIND config has many views and restarts can take several minutes. Here is my simple test set up.

Re: dynamic update of split view acl

recommend using acl statements: #v+ # here I am naming each component network # (use names that make sense to you) acl net-57-0 { 204.57.0.0/24; }; acl net-57-5 { 204.57.5.0/24; }; acl net-216-55-18 { 216.55.18.0/24; }; # and then I build the composite networks per view acl view1 { net-57-0; net-57

Re: dynamic update of split view acl

Hi Robert, Thanks for the reply. I also should have mentioned that this is for an authoritative DNS setup. I'm evaluating different DNS options to support CDN-like testbed where, due to Internet path changes/outages, I would ideally like the ability to rapidly change where particular clients are

Re: Dynamic update the ip addresses list defined within acl clause

On Jan 29, 2014, at 7:45 AM, Pika.Aman a...@thingsto.me wrote: Hi there, I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! You could put

Re: Dynamic update the ip addresses list defined within acl clause

On 29.01.14 14:45, Pika.Aman wrote: I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! No, the dynamic configuration like this is not supported

Dynamic update the ip addresses list defined within acl clause

Hi there, I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! -- Pika Aman Sent with Sparrow (http://www.sparrowmailapp.com/?sig

Re: Performance impact of a large ACL list.

Augie, On Monday, 2013-02-04 19:01:38 -0600, Jeremy C. Reed jr...@isc.org wrote: On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly

Performance impact of a large ACL list.

Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. -- Augie Schwer-au...@schwer.us

Re: Performance impact of a large ACL list.

On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation

ACL per listening IP address ?

to named.conf but only allow certain IP addresses to issue queries against it. I'm not very familiar with the concept of views but I wonder if the match-client statement might be the way to go. Alternatively we can setup an external ACL (or firewall statement) that only allows queries

Re: ACL per listening IP address ?

I'm not very familiar with the concept of views but I wonder if the match-client statement might be the way to go. It sounds like the one you're interested in is match-destinations actually. options { listen-on port 53 { 128.83.185.40; 128.83.185.41; NATIVE IP; }; ...

Re: Problem with ACL in named.conf

On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors

Re: Problem with ACL in named.conf

On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of

Problem with ACL in named.conf

I tried to use the acl statement in my named.conf file, but I have a hard time making it work. In my named.conf file, I've put these acl statements in these formats (made up IP addresses mind you):- -- // Individual ACL list acl addr1 { 11.22.33.44; 12.23.34.45; }; acl

Re: Problem with ACL in named.conf

On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar. That said, this is a very annoying problem that I wish there was a better

Re: Problem with ACL in named.conf

On Thu, 30 Aug 2012, GS Bryan wrote: also-notify { alladdr; }; This uses an ip_addr instead of an address_match_list. Some versions of named-checkconf will tell you expected IP address. /etc/named.conf:111: masters alladdr not found I can't reproduce your problem. What version of

Re: Problem with ACL in named.conf

In message CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=q...@mail.gmail.com , GS Bryan writes: I tried to use the acl statement in my named.conf file, but I have a hard time making it work. In my named.conf file, I've put these acl statements in these formats (made up IP addresses mind

Re: Problem with ACL in named.conf

On 08/29/2012 04:02 PM, Mark Andrews wrote: A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. Mark, I understand the behind the scenes reasons why the 2 things

Re: Problem with ACL in named.conf

. On Thu, Aug 30, 2012 at 9:42 AM, Doug Barton do...@dougbarton.us wrote: On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar

Re: Problem with ACL in named.conf

My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. On Thu, Aug 30, 2012 at 9:59 AM, Jeremy C. Reed jr...@isc.org wrote: On Thu, 30 Aug 2012, GS Bryan wrote:

undefined ACL error while running named-checkconf file

Hello,   I am running slave DNS server using BIND. Today when try to run named-checkconf file as below , i am getting highlighted error.    Kindly assist me    [root@server]# named-checkconf /etc/named.rfc1912.zones /etc/named.rfc1912.zones:78: undefined ACL 'redhat' /etc/named.rfc1912.zones:85

Re: undefined ACL error while running named-checkconf file

: undefined ACL 'redhat' /etc/named.rfc1912.zones:85: undefined ACL 'redhat' /etc/named.rfc1912.zones:92: undefined ACL 'redhat' /etc/named.rfc1912.zones:100: undefined ACL 'redhat' Isn't it kind of obvious? You are checking the syntax of the file named.rfc1912.zones, but the ACL is refers

Re: undefined ACL error while running named-checkconf file

Dear Anand,   Yes, both primary and slave running with different version. Will it cause any problem if both are running with different version?   --- On Sat, 3/12/11, Anand Buddhdev ana...@ripe.net wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: undefined ACL error while running

correct syntax for TSIG IP restrictions for named-ACL versus just IP?

i've bind9 running as a primaryhost to a number of bind-andb-other slaves. i'm trying to set up to use different TSIG keys with different secondaries. in my named.conf, i've ... acl acl_slave_1 { 1.1.1.1; }; acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

: i've bind9 running as a primaryhost to a number of bind-andb-other slaves. i'm trying to set up to use different TSIG keys with different secondaries. in my named.conf, i've ... acl acl_slave_1 { 1.1.1.1; }; acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

hi, On Sun, 05 Dec 2010 19:16 +0100, Sten Carlsen st...@s-carlsen.dk wrote: Given that you control your key distribution correctly and safely, would the following work? allow-transfer { key key-slave-1; key key-slave-2; }; Only relevant slaves have the various keys, so do you need to

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

; }; }; If you want to use named ACLs, then I think you need to define them backwards, to reject not accept, something like this: # pass through any host except slave1 hosts acl notslave1 { !1.1.1.1; any; }; # pass through any host except slave2 hosts acl notslave2 { !2.2.2.2

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

hi, On Sun, 05 Dec 2010 20:57 +, Evan Hunt e...@isc.org wrote: I haven't tested this, but I think it will do what you want: ... allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; this !acl format works, but only

Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2

Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2 Description: There was a flaw where the wrong ACL was applied. This flaw could allow access to a cache via recursion even though the ACL disallowed it. CVE: pending CERT: pending Posting date: 2010-09-28 Program

ACL for forward zone

Hello all, I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I

Re: ACL for forward zone

Hi Prabhat, I think you don't need this ACL in your forwarder server, define it on the authoritative server (1.2.3.4 and 5.6.7.8, according to your example). Regards, Nuno Paquete No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com escreveu: Hello all, I have BIND 9.7.1

Re: ACL for forward zone

Subject: Re: ACL for forward zone To: Prabhat Rana prana9...@yahoo.com Cc: bind-users@lists.isc.org Date: Monday, July 12, 2010, 4:17 PM Hi Prabhat, I think you don't need this ACL in your forwarder server, define it on  the authoritative server (1.2.3.4 and 5.6.7.8, according to your

Re: ACL for forward zone

access to the authoritative servers. Prabhat. --- On Mon, 7/12/10, Nuno Paquete nunopaqu...@lusocargo.pt wrote: From: Nuno Paquete nunopaqu...@lusocargo.pt Subject: Re: ACL for forward zone To: Prabhat Rana prana9...@yahoo.com Cc: bind-users@lists.isc.org Date: Monday, July 12, 2010, 4:17 PM

any IPv6 ACL for BIND

hi all, is there a built-in ACL that represents any IPv6 connection? I have some experiment with allow-query { aclhere; }; where aclhere represents any IPv6 network, anywhere from the Internet. If there's no built-in, what is the best way to come up with an equivalent? Thanks

Re: any IPv6 ACL for BIND

If there's no built-in, what is the best way to come up with an equivalent? I think this will work: acl any6 { ::0/0; }; acl any4 { 0.0.0.0/0; }; -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users

Re: check-names vs. acl

this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? On 26.02.10 13:08, Mark Andrews wrote: It really depends what's more important for you to see. Whether you got a recursive query that didn't match a acl or a query that failed

check-named vs. acl

Hello, I see that hosts that are not allowed to recurse are often generating check-named errors. I wonder if it wouldn't be better to check ACL's first and check-names just after it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail

check-names vs. acl

On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names

Re: check-names vs. acl

of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? It really depends what's more important for you to see. Whether you got a recursive query that didn't match a acl or a query that failed check-names. Both get REFUSED so the client can't tell

Re: Problems with include in acl file

. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Yes. I meant to say, wherever

Re: Problems with include in acl file

On 19.10.09 09:49, Mark Andrews wrote: acl's can include other acls. I'm having a hard time seeing why you need to include a file here. include custom.acl; // defines acl customacl acl hdanets { 92.168.1.0/24; // hda network customacl; }; otoh, it could ease configuration

Re: Problems with include in acl file

On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets

Re: Problems with include in acl file

line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include

Re: Problems with include in acl file

and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before

Re: Problems with include in acl file

the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing

Problems with include in acl file

I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named

Re: Problems with include in acl file

On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network

ACL ?

Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145

Re: ACL ?

Worked like a charm. Thanks. -John Alan Clegg wrote: John D. Vo wrote: Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145

Re: ACL ?

In message 49c79d6b.7060...@eagle.net, John D. Vo writes: Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2

Re: ACL ?

On Mar 23 2009, John D. Vo wrote: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1

Re: nsupdate ACL based on a key AND ip-subnet

On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote: Use a firewall (with deep packet inspection) to restrict by subnet. Then use the TSIG key in the allow-update statement. Unfortunately, to my knowledge, that's the only way to do this. Wouldn't using a BIND view to restrict by

  1   2   >