Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers

On 09/26/2010 10:57 PM, David S. wrote:

I've removed additional-from-cache and restart bind, below part of
named.conf


Ok, bad guess on my part :o(

Not sure I'm afraid. I don't really understand your config; do you mean 
to have recursion off in both views?


What is sending the queries? They're coming from 127.0.0.1 (localhost) 
so something on the system is trying to use bind as a (recursive) 
nameserver.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-27 Thread Phil Mayers

On 27/09/10 09:45, David S. wrote:

Hi Pil,

In that case, don't you want recursion on in view mynetwork?
I won't recursion in my network, so recursion is no.


Sorry, I don't understand. Perhaps someone else can help you.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-27 Thread Kevin Darcy
Hopefully you understand that when you turn recursion off, that means 
you can only answer from zones that you actually *host* (i.e. for which 
you are master or slave).


But you have no master or slave zones defined in the mynetwork view.

Therefore it is not possible for that view to do anything useful, the 
way that it is currently configured.



- Kevin


On 9/27/2010 4:45 AM, David S. wrote:

Hi Pil,

In that case, don't you want recursion on in view mynetwork?
I won't recursion in my network, so recursion is no.

-
--
Best regards,
David
http://blog.pnyet.web.id


On 09/27/2010 03:32 PM, Phil Mayers wrote:
   

In that case, don't you want recursion on in view mynetwork?
 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-26 Thread Phil Mayers

On 09/26/2010 09:25 PM, David S. wrote:

Dear All,

I had problem when trying to use view class on my named.conf, please
see attached file and below my query log:


You've set additional-from-cache but not allow-query-cache ACL. The 
default has everyone denied.


Do you need to set additional-from-cache?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-26 Thread David S.
I've removed additional-from-cache and restart bind, below part of
named.conf

options {
directory /var/named;
allow-transfer { xfer; };
pid-file named.pid;
listen-on port 53 { any; };
statistics-file named.stats;
memstatistics-file named.memstats;
dump-file named.dump;
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 100;
interface-interval 0;
allow-query { trusted; };
blackhole { bogon; };
};

view mynetwork in {
match-clients {trusted; };
recursion no;
allow-transfer { xfer; };
};

view internet in {
match-clients { any; };
recursion no;
allow-transfer  { xfer; };


# tail -f /var/log/named/audit.log

28-Sep-2010 04:50:05.012 security: info: client 127.0.0.1#53517: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
28-Sep-2010 04:56:22.653 security: info: client 127.0.0.1#34194: view
mynetwork: query (cache) 'kiputih.com/A/IN' denied


-
--
Best regards,
David
http://blog.pnyet.web.id


On 09/27/2010 04:36 AM, Phil Mayers wrote:
 On 09/26/2010 09:25 PM, David S. wrote:
 Dear All,

 I had problem when trying to use view class on my named.conf, please
 see attached file and below my query log:

 You've set additional-from-cache but not allow-query-cache ACL.
 The default has everyone denied.

 Do you need to set additional-from-cache?
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: query cache denied in vew statement

2010-09-26 Thread Barry Margolin
In article mailman.146.1285538312.555.bind-us...@lists.isc.org,
 David S. da...@pnyet.web.id wrote:

 I've removed additional-from-cache and restart bind, below part of
 named.conf

You still haven't added 'allow-query-cache { trusted};};'.

 
 options {
 directory /var/named;
 allow-transfer { xfer; };
 pid-file named.pid;
 listen-on port 53 { any; };
 statistics-file named.stats;
 memstatistics-file named.memstats;
 dump-file named.dump;
 zone-statistics yes;
 notify no;
 transfer-format many-answers;
 max-transfer-time-in 100;
 interface-interval 0;
 allow-query { trusted; };
 blackhole { bogon; };
 };
 
 view mynetwork in {
 match-clients {trusted; };
 recursion no;
 allow-transfer { xfer; };
 };
 
 view internet in {
 match-clients { any; };
 recursion no;
 allow-transfer  { xfer; };
 
 
 # tail -f /var/log/named/audit.log
 
 28-Sep-2010 04:50:05.012 security: info: client 127.0.0.1#53517: view
 mynetwork: query (cache) 'yahoo.com/A/IN' denied
 28-Sep-2010 04:56:22.653 security: info: client 127.0.0.1#34194: view
 mynetwork: query (cache) 'kiputih.com/A/IN' denied
 
 
 -
 --
 Best regards,
 David
 http://blog.pnyet.web.id
 
 
 On 09/27/2010 04:36 AM, Phil Mayers wrote:
  On 09/26/2010 09:25 PM, David S. wrote:
  Dear All,
 
  I had problem when trying to use view class on my named.conf, please
  see attached file and below my query log:
 
  You've set additional-from-cache but not allow-query-cache ACL.
  The default has everyone denied.
 
  Do you need to set additional-from-cache?
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users