Re: acl in also-nofify

2024-02-08 Thread Greg Choules via bind-users 
Hi both.
You can't do it using ACLs. But you can do it using primaries. This is
hinted at in the section about the primaries statement, but not clearly
expanded on.
For example:

# define a primaries list called "also-notifed" (or anything you like).
Define as many lists as you need.
primaries also-notified {a.b.c.d; e.f.g.h;};
...
zone "example.com {
   type primary;
   file "db.example.com";
# apply the primaries list (or lists) to the also-notify statement.
   also-notify {also-notified;};
};

I hope that helps.
Cheers, Greg



On Thu, 8 Feb 2024 at 21:55, Elmar K. Bins  wrote:

> Randy,
>
> ra...@psg.com (Randy Bush) wrote:
>
> > can i use an acl{} or other macro in `also-notify`?  i have a bunch of
> > zones where i want the same `also-notify` list.
>
> Been running into the same issue and tried to find out. My master lists
> and acls
> are identical as yours seem to be. I've been told that internally they are
> very
> different and handled differently, so I had to duplicate my work (yes,
> they're
> copy+paste for me) :-(
>
> Best,
> Elmar.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: acl in also-nofify

2024-02-08 Thread Elmar K. Bins 
Randy,

ra...@psg.com (Randy Bush) wrote:

> can i use an acl{} or other macro in `also-notify`?  i have a bunch of
> zones where i want the same `also-notify` list.

Been running into the same issue and tried to find out. My master lists and acls
are identical as yours seem to be. I've been told that internally they are very
different and handled differently, so I had to duplicate my work (yes, they're
copy+paste for me) :-(

Best,
Elmar.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

acl in also-nofify

2024-02-08 Thread Randy Bush 
have spent a bit searching but no result.  so ...

can i use an acl{} or other macro in `also-notify`?  i have a bunch of
zones where i want the same `also-notify` list.

thanks

randy
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: acl type construct for update-policy

2021-11-10 Thread John Thurston 



On 11/10/2021 6:25 AM, Giddings, Bret wrote:
Is there any other facility for including effectively the same grant 
statements within multiple zones?


I am not aware of any

--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

acl type construct for update-policy

2021-11-10 Thread Giddings, Bret 
Hello,

I want to use the same update-policy grant statements multiple times in 
different zones and would therefore prefer to use something like an ACL.

It doesn’t appear to be the case that you can create something like

acl “FOO” {
  grant EXAMPLE.COM krb5-self . A ;
  grant * tcp-self . PTR(1);
};

Then use it in your zone

zone EXAMPLE.COM {
  ….
  update-policy { FOO; };
  …
};

Nor can you use an ‘include’ within the zone statement to include the relevant 
‘grant’ statements from an external file. Is there any other facility for 
including effectively the same grant statements within multiple zones?

Many thanks,

Bret
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Ondřej Surý 
FTR The PROXY protocol is on the todo list, but the demand hasn’t been great so 
it’s more in the “patches accepted” area then something that’s just around the 
corner…

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 2. 9. 2021, at 20:27, Ryan McGuire  
> wrote:
> 
> Thank you, in my searching I failed to come across that.
> 
> Do you know if it's been replaced by something more "practical to deploy"? I 
> found some discussion regarding support for "The PROXY Protocol" 
> (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) but I don't 
> believe it's planned. This seems like such a common scenario, I'm surprised 
> the support that was there was removed but not replaced by anything. I 
> suppose it is open-source software and I'm free to port it into 9.16, but 
> this isn't a big enough problem for me personally to justify the time spent.
> 
> -Ryan
> 
> On 9/2/21 2:16 PM, Evan Hunt wrote:
>>> I did compile 9.16.20 from source since the latest in Debian repos is
>>> 9.16.15 but the result is the same. The doc snippet in my original email
>>> was from 9.11 docs -- could this feature not have been brought forward
>>> into 9.16 at all? The only related documented removed feature is
>>> geoip-use-ecs.
>> It was actually removed in 9.14:
>> 
>> 4952.   [func]  Authoritative server support in named for the
>> EDNS CLIENT-SUBNET option (which was experimental
>> and not practical to deploy) has been removed.
>> 
>> The ECS option is still supported in dig and mdig
>> via the +subnet option, and can be parsed and logged
>> when received by named, but it is no longer used
>> for ACL processing. The "geoip-use-ecs" option
>> is now obsolete; a warning will be logged if it is
>> used in named.conf. "ecs" tags in an ACL definition
>> are also obsolete and will cause the configuration
>> to fail to load.  [GL #32]
>> 
>> Sorry about the inadequate documentation. There's a mechanism for flagging
>> obsolete options in named.conf and logging a useful message about them, but
>> it's not so straightforward when the option is still valid but the
>> parameters have changed.
>> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Ryan McGuire 
In this case I use dnsdist (by PowerDNS) for load balancing and failover 
-- requests are balanced between my internal bind9 servers, and if they 
are all down queries go to public DNS directly to avoid a total outage. 
The challenge here is that the source IP for all requests is now coming 
from dnsdist.


They have an article here: 
https://dnsdist.org/advanced/passing-source-address.html that mentions 
the functionality supported in dnsdist, but there is no overlap with 
bind9 -- well, there was apparently up to 9.14, but it's since been 
removed. Bind is still able to parse (and present) the ECS to you, that 
works great, but the plumbing into the acl is what is needed to serve up 
a separate view by source client.


Being realistic, this is not a large deployment, if it's an edge case 
then it is surely not worth anyone's time to add support back in.


Thank you again for the replies.

-Ryan

On 9/2/21 2:42 PM, Evan Hunt wrote:

On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote:

Thank you, in my searching I failed to come across that.

Do you know if it's been replaced by something more "practical to
deploy"? I found some discussion regarding support for "The PROXY
Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt)
but I don't believe it's planned. This seems like such a common
scenario, I'm surprised the support that was there was removed but not
replaced by anything. I suppose it is open-source software and I'm free
to port it into 9.16, but this isn't a big enough problem for me
personally to justify the time spent.

We do have support for recursive ECS processing in the special-sauce
version of BIND we charge money for, but there hasn't been enough demand
for support on the authoritiatve side to make it worth the development
effort so far. But I would encourage you to put in a feature request
with details about your use case, and we'll consider it in the future.

Unfortunately, the older auth support was terribly space-inefficient,
and also didn't comply with the RFC, so it kind of had to go.

I'm not sure which of the open-source auth servers currently have ECS
support. PowerDNS maybe? And a quick google search just suggested one
called gdnsd, which I hadn't heard of before.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Evan Hunt 
On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote:
> Thank you, in my searching I failed to come across that.
> 
> Do you know if it's been replaced by something more "practical to 
> deploy"? I found some discussion regarding support for "The PROXY 
> Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 
> but I don't believe it's planned. This seems like such a common 
> scenario, I'm surprised the support that was there was removed but not 
> replaced by anything. I suppose it is open-source software and I'm free 
> to port it into 9.16, but this isn't a big enough problem for me 
> personally to justify the time spent.

We do have support for recursive ECS processing in the special-sauce
version of BIND we charge money for, but there hasn't been enough demand
for support on the authoritiatve side to make it worth the development
effort so far. But I would encourage you to put in a feature request
with details about your use case, and we'll consider it in the future.

Unfortunately, the older auth support was terribly space-inefficient,
and also didn't comply with the RFC, so it kind of had to go.

I'm not sure which of the open-source auth servers currently have ECS
support. PowerDNS maybe? And a quick google search just suggested one
called gdnsd, which I hadn't heard of before.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Ryan McGuire 

Thank you, in my searching I failed to come across that.

Do you know if it's been replaced by something more "practical to 
deploy"? I found some discussion regarding support for "The PROXY 
Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 
but I don't believe it's planned. This seems like such a common 
scenario, I'm surprised the support that was there was removed but not 
replaced by anything. I suppose it is open-source software and I'm free 
to port it into 9.16, but this isn't a big enough problem for me 
personally to justify the time spent.


-Ryan

On 9/2/21 2:16 PM, Evan Hunt wrote:

I did compile 9.16.20 from source since the latest in Debian repos is
9.16.15 but the result is the same. The doc snippet in my original email
was from 9.11 docs -- could this feature not have been brought forward
into 9.16 at all? The only related documented removed feature is
geoip-use-ecs.

It was actually removed in 9.14:

4952.   [func]  Authoritative server support in named for the
 EDNS CLIENT-SUBNET option (which was experimental
 and not practical to deploy) has been removed.

 The ECS option is still supported in dig and mdig
 via the +subnet option, and can be parsed and logged
 when received by named, but it is no longer used
     for ACL processing. The "geoip-use-ecs" option
 is now obsolete; a warning will be logged if it is
 used in named.conf. "ecs" tags in an ACL definition
 are also obsolete and will cause the configuration
 to fail to load.  [GL #32]

Sorry about the inadequate documentation. There's a mechanism for flagging
obsolete options in named.conf and logging a useful message about them, but
it's not so straightforward when the option is still valid but the
parameters have changed.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Evan Hunt 


> I did compile 9.16.20 from source since the latest in Debian repos is 
> 9.16.15 but the result is the same. The doc snippet in my original email 
> was from 9.11 docs -- could this feature not have been brought forward 
> into 9.16 at all? The only related documented removed feature is 
> geoip-use-ecs.

It was actually removed in 9.14:

4952.   [func]  Authoritative server support in named for the
EDNS CLIENT-SUBNET option (which was experimental
and not practical to deploy) has been removed.

The ECS option is still supported in dig and mdig
via the +subnet option, and can be parsed and logged
when received by named, but it is no longer used
    for ACL processing. The "geoip-use-ecs" option
is now obsolete; a warning will be logged if it is
used in named.conf. "ecs" tags in an ACL definition
are also obsolete and will cause the configuration
to fail to load.  [GL #32]

Sorry about the inadequate documentation. There's a mechanism for flagging
obsolete options in named.conf and logging a useful message about them, but
it's not so straightforward when the option is still valid but the
parameters have changed.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Syntax for ECS ACL Entry

2021-09-02 Thread Ryan McGuire 
I did compile 9.16.20 from source since the latest in Debian repos is 
9.16.15 but the result is the same. The doc snippet in my original email 
was from 9.11 docs -- could this feature not have been brought forward 
into 9.16 at all? The only related documented removed feature is 
geoip-use-ecs.


-Ryan

On 9/2/21 10:06 AM, Ryan McGuire wrote:


I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a 
view. The views are working well, and the ECS is read by bind9 (see 
log below), but I can't seem to find a syntax for adding an ecs entry 
into an acl. Here is what I've tried:


acl "filtered" {
  192.168.0.90;
  192.168.0.91;
  192.168.0.92;
  192.168.0.93;
*  ecs 192.168.99.0/24;*
};

view filtered-view {
  match-clients { filtered; };
  {...}

When I try to start bind with this config, I get the following error:
/etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'

Everything works as it should if I remove the ecs entry from the acl.

I can see the ECS is being set by dnsdist when I enable query logging:
client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view 
filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5) 
*[ECS 192.168.99.0/24/0]*


From the docs*:*

"An ACL containing an element of the form ecs prefix will match if a 
request arrives in containing an ECS option encoding an address within 
that prefix. If the request has no ECS option, then "ecs" elements are 
simply ignored. Addresses in ACLs that are not prefixed with "ecs" are 
matched only against the source address."*

*

I am running bind9 version 9.16.15.

Regards,

Ryan McGuire
p. 260.202.0500  m. 978.501.3620  
f. 260.202.0420 

w. www.libretechconsulting.com <https://libretechconsulting.com>

Libre Tech Consulting <https://libretechconsulting.com>


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Syntax for ECS ACL Entry

2021-09-02 Thread Ryan McGuire 
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a 
view. The views are working well, and the ECS is read by bind9 (see log 
below), but I can't seem to find a syntax for adding an ecs entry into 
an acl. Here is what I've tried:


acl "filtered" {
  192.168.0.90;
  192.168.0.91;
  192.168.0.92;
  192.168.0.93;
*  ecs 192.168.99.0/24;*
};

view filtered-view {
  match-clients { filtered; };
  {...}

When I try to start bind with this config, I get the following error:
/etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'

Everything works as it should if I remove the ecs entry from the acl.

I can see the ECS is being set by dnsdist when I enable query logging:
client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view 
filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5) 
*[ECS 192.168.99.0/24/0]*


From the docs*:*

"An ACL containing an element of the form ecs prefix will match if a 
request arrives in containing an ECS option encoding an address within 
that prefix. If the request has no ECS option, then "ecs" elements are 
simply ignored. Addresses in ACLs that are not prefixed with "ecs" are 
matched only against the source address."*

*

I am running bind9 version 9.16.15.

Regards,

Ryan McGuire
p. 260.202.0500  m. 978.501.3620  f. 
260.202.0420 

w. www.libretechconsulting.com <https://libretechconsulting.com>

Libre Tech Consulting <https://libretechconsulting.com>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GeoIP ACL

2021-04-25 Thread Evan Hunt 
On Sun, Apr 25, 2021 at 01:47:31PM +0530, Sachchidanand Upadhyay via bind-users 
wrote:
> I am using geoip based ACL to restrict traffic. Now I want to allow all
> country traffic except two or three, like i want to allow all traffic
> except country A, B and C. 
> 
> Can anyone give an example to achieve the same? 

match-clients { !geoip country A; !geoip country B; !geoip country C; any; };

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

GeoIP ACL

2021-04-25 Thread Sachchidanand Upadhyay via bind-users 
Hi, 

I am using geoip based ACL to restrict traffic. Now I want to allow all country 
traffic except two or three, like i want to allow all traffic except country A, 
B and C. 

Can anyone give an example to achieve the same? 

BR, 
Sachchidanand 



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-16 Thread Evan Hunt 
On Thu, Apr 15, 2021 at 03:35:38PM +0800, Zhengyu Pan wrote:
> I want to implement intelligent DNS through bind9. I need to add a custom
> line(IP address ranges) to bind9 using acl and view when add a user.
> Because when add a tenant, i need to define a new acl and view. I don't
> want to update named.conf config file frequently.
> 
>  Does bind9 support adding acl and view through commands or API, not by
>  updating config file? 
> 
>  like the command "rndc addacl" or "rndc addview". 

No, and I wouldn't recommend doing this via "reconfig" either. Views
don't scale well. Finding the correct view for a query is a linear search,
so your performance will decline quite badly if you have more than a few
views to search through.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Zhengyu Pan 
>do you mean, the same domains with different content, depending on clients'
>IPs? That's common multiple-view setup
>(nothing special or intelligent).

Yes, I will create a view and acl for every client. Because every client has 
the unique IP address.


>Why? Do you have that many clients constantly with changing IPs?
>
>Maybe they could use local DNS server talking to your DNS server using TSIG,

>and instead of IPs you'd define TSIG keys.


My client vm directly connect the dns server. There are no local servers on the 
road.
Different client may create the same domain. So I must use IP to limit who use 
which view. client view can't use TSIG key.
>I'm afraid for now there's no  way to make this via rndc.
>You'll have to generate named config per-client.
I wan to know whether per-client can have own confile file that contains view 
and acl. Not put view and acl in named.conf.


>>Updating config file frequently may affect other zones in this dns server.
>
>I don't understand how/why it should affect other zones.

Yes, updating config file don't affect other zones.













--

Thanks.
Zhengyu





At 2021-04-15 23:28:15, "Matus UHLAR - fantomas"  wrote:
>On 15.04.21 20:53, Zhengyu Pan wrote:
>>The  "intelligent" means that dns server return the corresponding A record IP 
>>address according  to the source IP address of the tenants.
>>My dns server is an Authoritative dns server. It hosts the zones of different 
>>tenants.
>
>do you mean, the same domains with different content, depending on clients'
>IPs? That's common multiple-view setup
>(nothing special or intelligent).
>
>>I need to update config file name.conf frequently Because The views and ACLS 
>>are added frequently.
>
>Why? Do you have that many clients constantly with changing IPs?
>
>Maybe they could use local DNS server talking to your DNS server using TSIG,
>and instead of IPs you'd define TSIG keys.
>
>>So i want to know whether have commands or API to add acl and view like the 
>>command "rndc addacl" or "rndc addview"?
>
>I'm afraid for now there's no  way to make this via rndc.
>You'll have to generate named config per-client.
>
>>Updating config file frequently may affect other zones in this dns server.
>
>I don't understand how/why it should affect other zones.
>
>
>
>>At 2021-04-15 15:08:26, "Matus UHLAR - fantomas"  wrote:
>>>On 15.04.21 15:35, Zhengyu Pan wrote:
>>>>I want to implement intelligent DNS through bind9.
>>>
>>>>I need to add a custom line(IP address ranges) to bind9 using acl and view
>>>> when add a user.  Because when add a tenant, i need to define a new acl
>>>> and view.  I don't want to update named.conf config file frequently.
>>>
>>>what is supposed to be intelligent there?
>>>
>>>I mean, why?  are you going to provide recursive service to someone who pays
>>>for that?
>>>
>>>> Does bind9 support adding acl and view through commands or API, not by 
>>>> updating config file?
>>>> like the command "rndc addacl" or "rndc addview".
>>>
>>>I don't think so, looks a bit too complicated.
>
>
>-- 
>Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>- Have you got anything without Spam in it?
>- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>from this list
>
>ISC funds the development of this software with paid support subscriptions. 
>Contact us at https://www.isc.org/contact/ for more information.
>
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Matus UHLAR - fantomas 

On 15.04.21 20:53, Zhengyu Pan wrote:

The  "intelligent" means that dns server return the corresponding A record IP 
address according  to the source IP address of the tenants.
My dns server is an Authoritative dns server. It hosts the zones of different 
tenants.


do you mean, the same domains with different content, depending on clients'
IPs? That's common multiple-view setup
(nothing special or intelligent).


I need to update config file name.conf frequently Because The views and ACLS 
are added frequently.


Why? Do you have that many clients constantly with changing IPs?

Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.


So i want to know whether have commands or API to add acl and view like the command "rndc 
addacl" or "rndc addview"?


I'm afraid for now there's no  way to make this via rndc.
You'll have to generate named config per-client.


Updating config file frequently may affect other zones in this dns server.


I don't understand how/why it should affect other zones.




At 2021-04-15 15:08:26, "Matus UHLAR - fantomas"  wrote:

On 15.04.21 15:35, Zhengyu Pan wrote:

I want to implement intelligent DNS through bind9.



I need to add a custom line(IP address ranges) to bind9 using acl and view
when add a user.  Because when add a tenant, i need to define a new acl
and view.  I don't want to update named.conf config file frequently.


what is supposed to be intelligent there?

I mean, why?  are you going to provide recursive service to someone who pays
for that?


Does bind9 support adding acl and view through commands or API, not by updating 
config file?
like the command "rndc addacl" or "rndc addview".


I don't think so, looks a bit too complicated.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Zhengyu Pan 
The  "intelligent" means that dns server return the corresponding A record IP 
address according  to the source IP address of the tenants.
My dns server is an Authoritative dns server. It hosts the zones of different 
tenants.


I need to update config file name.conf frequently Because The views and ACLS 
are added frequently.
So i want to know whether have commands or API to add acl and view like the 
command "rndc addacl" or "rndc addview"?
Updating config file frequently may affect other zones in this dns server.

At 2021-04-15 15:08:26, "Matus UHLAR - fantomas"  wrote:
>On 15.04.21 15:35, Zhengyu Pan wrote:
>>I want to implement intelligent DNS through bind9.
>
>>I need to add a custom line(IP address ranges) to bind9 using acl and view
>> when add a user.  Because when add a tenant, i need to define a new acl
>> and view.  I don't want to update named.conf config file frequently.
>
>what is supposed to be intelligent there?
>
>I mean, why?  are you going to provide recursive service to someone who pays
>for that?
>
>> Does bind9 support adding acl and view through commands or API, not by 
>> updating config file?
>> like the command "rndc addacl" or "rndc addview".
>
>I don't think so, looks a bit too complicated.
>
>-- 
>Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>Save the whales. Collect the whole set.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>from this list
>
>ISC funds the development of this software with paid support subscriptions. 
>Contact us at https://www.isc.org/contact/ for more information.
>
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Matus UHLAR - fantomas 

On 15.04.21 15:35, Zhengyu Pan wrote:

I want to implement intelligent DNS through bind9.



I need to add a custom line(IP address ranges) to bind9 using acl and view
when add a user.  Because when add a tenant, i need to define a new acl
and view.  I don't want to update named.conf config file frequently.


what is supposed to be intelligent there?

I mean, why?  are you going to provide recursive service to someone who pays
for that?


Does bind9 support adding acl and view through commands or API, not by updating 
config file?
like the command "rndc addacl" or "rndc addview".


I don't think so, looks a bit too complicated.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Zhengyu Pan 
Hi,

I want to implement intelligent DNS through bind9. I need to add a custom 
line(IP address ranges) to bind9 using acl and view when add a user. Because 
when add a tenant, i need to define a new acl and view. I don't want to update 
named.conf config file frequently.

 Does bind9 support adding acl and view through commands or API, not by 
updating config file? 

 like the command "rndc addacl" or "rndc addview". 




 Thanks

 Zhengyu
















--

Thanks!
Zhengyu___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Mark Andrews 

You use the "ecs" key word like this.

        acl example { ecs 10.0.0.0/8; };

view ecs-net-10-only {
match-clients { example; };
};

Also using colour or fonts is not a good way to highlight
what the issue is.  Not everyone reads email on a display
which supports different colours or fonts.

Also acls are *first* *match* so

match-clients {
 area02; ecs-area02;
 !{!ecs-area02; any; };
 key Area02.mydomain.idv.;
};

and

match-clients { area02; ecs-area02; };

are the *same* as all "ecs-area02;" addresses have already
been matched by the time you get to looking at "!{!ecs-area02;
any; };".

Bob,
!{!ecs-area01; any; }; is reject anything which
isn't in ecs-area01.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Bob Harold 
On Tue, Oct 25, 2016 at 2:04 AM, <hsulip...@itri.org.tw> wrote:

> From 9.1 ARM chapter 7 that mention
>
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative
> name server of the network address block from which the original query was
> received, enabling
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If the request has
> no ECS option,*
> *then "ecs" elements are simply ignored*. Addresses in ACLs that are not
> prefixed with "ecs" are
> matched only against the source address.
>
>
>
> Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my
> allow-query entry but when i use dig
>
> test (not include +subnet) it not response but when i remvoe that ecs
> keyword every thing was OK.
>
>
>
> I was use bind 9.11 setup three dns server one for mydomain.idv and two
> are sub.mydomain.idv.
>
> my sub.mydomain.idv has multi view but has same zone.
>
> when i use dig query sub.mydomain.idv entry it always return last match
> view, it will not reponse by client subnet
>
> following was my partial named.conf content
>
>
>
> sub.mydomain.idv (Primary server -ip:a.b.c.d)
> =
>
> acl "slave-ips" { a.b.c.d; };
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
>     request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory   "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area01.mydomain.idv.; };
>  allow-transfer { key Area01.mydomain.idv.; };
>  };
> }; // End View
>
> view "area02" {
> match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area02; ecs-area02; };
>   file "sub/area02.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area02.mydomain.idv.; };
>  allow-transfer { key Area02.mydomain.idv.; };
>  };
> }; // End View
>
> view "area03" {
> match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query {  area03; ecs-area03; };
>   file "sub/area03.mydomain.idv.txt";
>   also-notify { a.b.c1.d key Area03.mydomain.idv.;};
>   allow-transfer { key Area03.mydomain.idv.; };
>  };
> }; // End View
>
> view "deafult" {  // Default
> match-clients {any; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { any; };
>   file "sub/default.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Default.mydomain.idv.;};
>  allow-transfer { key Default.mydomain.idv.; };
>  };
> }; // End View
>
> sub.mydomain.idv (Slave server -ip:a.b.c1.d)
> =
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt"

Bind 9.11 question (ACL ecs )

2016-10-25 Thread HsuLiPing 
From 9.1 ARM chapter 7 that mention

The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform 
an authoritative
name server of the network address block from which the original query was 
received, enabling
authoritative servers to give different answers to the same resolver for 
different resolver clients.



An ACL containing an element of the form ecs prefix will match if a request 
arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS 
option,
then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed 
with "ecs" are
matched only against the source address.



Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my 
allow-query entry but when i use dig

test (not include +subnet) it not response but when i remvoe that ecs keyword 
every thing was OK.



I was use bind 9.11 setup three dns server one for mydomain.idv and two are 
sub.mydomain.idv.

my sub.mydomain.idv has multi view but has same zone.

when i use dig query sub.mydomain.idv entry it always return last match view, 
it will not reponse by client subnet

following was my partial named.conf content



sub.mydomain.idv (Primary server -ip:a.b.c.d) 
=========

acl "slave-ips" { a.b.c.d; };

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area01.mydomain.idv.; };
 allow-transfer { key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area02.mydomain.idv.; };
 allow-transfer { key Area02.mydomain.idv.; };
 };
}; // End View

view "area03" {
match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key 
Area03.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query {  area03; ecs-area03; };
  file "sub/area03.mydomain.idv.txt";
  also-notify { a.b.c1.d key Area03.mydomain.idv.;};
  allow-transfer { key Area03.mydomain.idv.; };
 };
}; // End View

view "deafult" {  // Default
match-clients {any; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { any; };
  file "sub/default.mydomain.idv.txt";
 also-notify { a.b.c1.d key Default.mydomain.idv.;};
 allow-transfer { key Default.mydomain.idv.; };
 };
}; // End View

sub.mydomain.idv (Slave server -ip:a.b.c1.d) 
=

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
    request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.ca";
 masters { a.b.c.d key Area01.mydomain.idv.; };
 };
}; // End View

view "area0

Re: acl

2016-10-18 Thread Matthew Pounsett 
On 8 October 2016 at 09:57, Pol Hallen <bin...@fuckaround.org> wrote:

> 192.168.1/24 is not a valid netmask
>>
>
> huh?
> In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24)
> and so on...


You're confusing network configuration with ACL syntax.

Where you're using 192.168.1.50/24 in your OS configuration, what you're
really saying is 192.168.1.50 netmask 255.255.255.0.
When you use it in an ACL, you're saying "the entire /24 that contains
192.168.1.50"


> hint: using /24 everywhere is nonsense
>>
>
> why?
>
> My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host)
>
> thanks
>
> Pol


It sounds like what you want is to permit 192.168.1.0/24 and deny
192.168.1.50/32.



>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread Pol Hallen 

And don't forget the copious comments in named.conf, so that your successor can 
easily see, at a glance, what start/end addresses those clusters of ACL 
elements represent.



sure! :-)

thanks

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: defines ip to acl

2016-10-17 Thread Darcy Kevin (FCA) 
And don't forget the copious comments in named.conf, so that your successor can 
easily see, at a glance, what start/end addresses those clusters of ACL 
elements represent.


- Kevin


-Original Message-
From: Darcy Kevin (FCA) 
Sent: Monday, October 17, 2016 3:11 PM
To: bind-users@lists.isc.org
Subject: RE: defines ip to acl

Well, things are messy, because you haven't carved up your subnet on 
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or 
some combination of these. It can be done:

192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 
192.168.1.64/27; 192.168.1.96/30;

192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 
192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29;

I might have made an error in the above -- did I mention that this is very 
error-prone as well? :-)


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol 
Hallen
Sent: Monday, October 17, 2016 2:37 PM
To: bind-users@lists.isc.org
Subject: defines ip to acl

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 
to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread Pol Hallen 

Acls don’t support ranges, only prefixes.  You don’t want the whole /24.  I 
think you want:

acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 
192.168.1.192/29; }


thanks guys :-)


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: defines ip to acl

2016-10-17 Thread Darcy Kevin (FCA) 
Well, things are messy, because you haven't carved up your subnet on 
bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or 
some combination of these. It can be done:

192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 
192.168.1.64/27; 192.168.1.96/30;

192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 
192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29;

I might have made an error in the above -- did I mention that this is very 
error-prone as well? :-)


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol 
Hallen
Sent: Monday, October 17, 2016 2:37 PM
To: bind-users@lists.isc.org
Subject: defines ip to acl

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 
to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread McDonald, Daniel (Dan) 
Acls don’t support ranges, only prefixes.  You don’t want the whole /24.  I 
think you want:

acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 
192.168.1.192/29; }
 

On 2016-10-17, 13:41, "bind-users on behalf of Pol Hallen" 
<bind-users-boun...@lists.isc.org on behalf of bin...@fuckaround.org> wrote:

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

defines ip to acl

2016-10-17 Thread Pol Hallen 

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL

2016-10-09 Thread Bob McDonald 
I think what you are looking for is:

acl test0 { !192.168.1.50/32; 192.168.1.0/24; };

http://jodies.de/ipcalc is a good resource for checking. (As was mentioned
by Reindl...)

Learning basic sub-netting of IP addresses (Both IPv4 and IPv6) takes time
but it's necessary for DNS configuration. There's plenty of other resources
out there. (Try googling sub-netting with or without the hyphen)

Hope that helps,

Bob

> Message: 1
> Date: Sat, 8 Oct 2016 15:14:36 +0200
> From: Pol Hallen <bin...@fuckaround.org>
> To: Bind Users <bind-users@lists.isc.org>
> Subject: acl
> Message-ID: <fb1d9827-71ee-ff59-4d2c-9262c8cd9...@fuckaround.org>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi all :-)
>
> can someone advice me about a fully howto / handbook to understand ACL?
>
> I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:
>
> acl test0 { !192.168.1.50/24; 192.168.1/24;};
>
> thanks for help!
>
> Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: acl

2016-10-08 Thread S Carr 
On 8 October 2016 at 14:14, Pol Hallen <bin...@fuckaround.org> wrote:
> acl test0 { !192.168.1.50/24; 192.168.1/24;};

acl test0 { !192.168.1.50; 192.168.1.0/24;};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: acl

2016-10-08 Thread Pol Hallen 

192.168.1/24 is not a valid netmask


huh?
In linux and BSD I always use 192.168.1/24 (how shortcut of 
192.168.1.0/24) and so on...



hint: using /24 everywhere is nonsense


why?

My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host)

thanks

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: acl

2016-10-08 Thread Reindl Harald 



Am 08.10.2016 um 15:14 schrieb Pol Hallen:

Hi all :-)

can someone advice me about a fully howto / handbook to understand ACL?

I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:

acl test0 { !192.168.1.50/24; 192.168.1/24;};


192.168.1/24 is not a valid netmask
192.168.1.0/24 -> 192.168.1.1 - 192.168.1.254

192.168.1.50/24 is not a valid netmask
192.168.1.0/24 -> 192.168.1.1 - 192.168.1.254

honestly go to http://jodies.de/ipcalc and test what your proposed 
netmasks are doing


hint: using /24 everywhere is nonsense and what you are trying here (if 
it's accepted at all) is do allow and deny the actly same range by lack 
of understanding how network masks are working

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

acl

2016-10-08 Thread Pol Hallen 

Hi all :-)

can someone advice me about a fully howto / handbook to understand ACL?

I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:

acl test0 { !192.168.1.50/24; 192.168.1/24;};

thanks for help!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

2016-04-26 Thread Bob Harold 
On Tue, Apr 26, 2016 at 10:22 AM, Ali Jawad <alijaw...@gmail.com> wrote:

> Hi Bob
> I did have a look at
> http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger ,
> and while in theory it can be used in a way similar to ACL I cant see how
> it accommodates for faster changes, would you please elaborate ?
>


You are correct, my mistake.  Looks like you can only block the client
completely, and not change just one answer for the client, so that will not
work for you.

-- 
Bob Harold



> On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rharo...@umich.edu> wrote:
>
>>
>> On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA512
>>>
>>> On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
>>> > based on a user tool the users "hundreds in corporate environment" get
>>> > either public or private zone,
>>>
>>> Rather than the tool writing an ACL for bind, can the tool instead
>>> reconfigure the user's local workstation dns settings to point to one of
>>> two different (sets of) bind servers? One serves the public zone, one
>>> serves the private zone.
>>>
>>>
>>>
>> You might be able to use RPZ to give a list of users a different answer
>> for certain queries, and that can be dynamically updated quickly, if I
>> understand it correctly.  That might work better than ACLs and views for a
>> fast-changing list of users.
>>
>> --
>> Bob Harold
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

2016-04-26 Thread Ali Jawad 
Hi Bob
I did have a look at
http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , and
while in theory it can be used in a way similar to ACL I cant see how it
accommodates for faster changes, would you please elaborate ?

On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rharo...@umich.edu> wrote:

>
> On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
>> > based on a user tool the users "hundreds in corporate environment" get
>> > either public or private zone,
>>
>> Rather than the tool writing an ACL for bind, can the tool instead
>> reconfigure the user's local workstation dns settings to point to one of
>> two different (sets of) bind servers? One serves the public zone, one
>> serves the private zone.
>>
>>
>>
> You might be able to use RPZ to give a list of users a different answer
> for certain queries, and that can be dynamically updated quickly, if I
> understand it correctly.  That might work better than ACLs and views for a
> fast-changing list of users.
>
> --
> Bob Harold
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

2016-04-26 Thread Bob Harold 
On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
> > based on a user tool the users "hundreds in corporate environment" get
> > either public or private zone,
>
> Rather than the tool writing an ACL for bind, can the tool instead
> reconfigure the user's local workstation dns settings to point to one of
> two different (sets of) bind servers? One serves the public zone, one
> serves the private zone.
>
>
>
You might be able to use RPZ to give a list of users a different answer for
certain queries, and that can be dynamically updated quickly, if I
understand it correctly.  That might work better than ACLs and views for a
fast-changing list of users.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

2016-04-25 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
> based on a user tool the users "hundreds in corporate environment" get
> either public or private zone,

Rather than the tool writing an ACL for bind, can the tool instead
reconfigure the user's local workstation dns settings to point to one of
two different (sets of) bind servers? One serves the public zone, one
serves the private zone.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcejGIACgkQL6j7milTFsFGxQCeLAh24G0V0Q/TqxhJCpJo9urj
n3wAn3ZaYI0s6ubAuBNHISoNsVLmdbS4
=xrrO
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reload only ACL

2016-04-25 Thread Anand Buddhdev 
On 25/04/16 22:23, Ali Jawad wrote:

Hi Ali Jawad,

> I do have a very specific requirement for private/public zones and based on
> a user tool the users "hundreds in corporate environment" get either public
> or private zone, the tool simply writes to an ACL file, my problem is that
> the only way I found that does not flush the cache of the server and
> reloads the ACL is rndc reconfig, but that appears to stall the server for
> new queries "tested with dig" for a few moments, and given I have a change
> of ACL from a user every a few times per minute it is not very viable. Is
> there an alternative to doing this ? and/or a way to have BIND load the ACL
> dynamically ?

I'm not aware of any way to look up ACLs dynamically. However, a
configuration that involves reconfiguring BIND several times a minute
seems like a bad design. Can't you have pre-defined address ranges of
public or private zones, and just pre-configure these in BIND once?

Sometimes it helps to rethink your design.

Regards,

Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reload only ACL

2016-04-25 Thread Ali Jawad 
Hi
I do have a very specific requirement for private/public zones and based on
a user tool the users "hundreds in corporate environment" get either public
or private zone, the tool simply writes to an ACL file, my problem is that
the only way I found that does not flush the cache of the server and
reloads the ACL is rndc reconfig, but that appears to stall the server for
new queries "tested with dig" for a few moments, and given I have a change
of ACL from a user every a few times per minute it is not very viable. Is
there an alternative to doing this ? and/or a way to have BIND load the ACL
dynamically ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Database driven ACL

2016-02-29 Thread Evan Hunt 
On Mon, Feb 29, 2016 at 04:11:03PM -0500, Alan Clegg wrote:
> Would also be cool to have a meta-zone or type (overlay similar to RPZ
> perhaps?) that could be used to configure DNS options.
> 
> Then your existing DNS tools could act as your management interface.

Stay tuned for 9.11, which will have an implementation of something like
https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones-00.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Database driven ACL

2016-02-29 Thread Alan Clegg 
On 2/29/16, 4:04 PM, "/dev/rob0"  wrote:

>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB query
>> instead of editing the config file or reading/writing into a text
>> file ?
>
>I like this idea.  I'd further suggest using either:
>  1. An abstraction layer such that any DB backend might be used; or
>  2. sqlite3

Would also be cool to have a meta-zone or type (overlay similar to RPZ
perhaps?) that could be used to configure DNS options.

Then your existing DNS tools could act as your management interface.

AlanC


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Database driven ACL

2016-02-29 Thread Ali Jawad 
Hi
Is there a mature/tested method of loading ACLs through a DB query  instead
of editing the config file or reading/writing into a text file ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Negation in view match-clients ACL doesn't work?

2015-08-06 Thread Cathy Almond 
On 04/08/2015 21:29, Darcy Kevin (FCA) wrote:
 The short answer is that that is how address-match-lists work: a non-negated 
 match allows access, a negated match denies access, and if there is *no* 
 match, access is denied. The only real reason to use a negated match, 
 therefore, is when what you're negating is a subset of something later in the 
 address-match-list.
 
 You do realize, I hope, that you could just change the order of the views and 
 then you wouldn't need any form of negation (earlier one matches 127.0.0.1, 
 later one matches any).
 
   - Kevin
 
 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN
 Sent: Tuesday, August 04, 2015 4:19 PM
 To: bind-users@lists.isc.org
 Subject: Negation in view match-clients ACL doesn't work?
 
 Folks,
 
   This has been a real mystery and haven't been able to find a good 
 explanation for the behavior. For a simple example I have two views setup and 
 I want to differentiate access based on queries originating from 127.0.0.1.
 
   In my FIRST ATTEMPT I just negated the IP address, but that didn't 
 work.  The first view never matched.   In the SECOND ATTEMPT I simply added 
 any AFTER the negation  and that worked?
   
   I read the ARM, can someone explain?  Many Thanks!
 
 FIRST ATTEMPT:  Fails - no clients can see external_zones.
 
 view default-test {
  match-clients { ! 127.0.0.1; };  // thought this would match anyone but 
 127.0.0.1
 
  zone . {
 type hint;
 file db.cache;
  };
  zone 0.0.127.in-addr.arpa {
 type master;
 file db.127.0.0.0;
  };
 
  include external_zones.txt;
 };
 
 view default {
  match-clients { any; };
 
  zone . {
 type hint;
 file db.cache;
  };
  zone 0.0.127.in-addr.arpa {
 type master;
 file db.127.0.0.0;
  };
 
  include internal_zones.txt;  
 };
 
 SECOND ATTEMPT: Succeeds, only external clients can see external_zones.
 
 view default-test {
  match-clients { ! 127.0.0.1;  any; };  // Why must I add any?
 ..
 
Although it's dealing with a different question, this KB article might
help a bit with understanding ACLs:

https://kb.isc.org/article/AA-00723

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic ACL

2015-04-08 Thread Ali Jawad 
Hi
I am running BIND 9.10 and I have looked through various options including
DLZ and RPZ but I am still not sure if they can do what I need or if i need
to look at something different. Here is my scenario and I would appreciate
if you could advice me.


   - I do have 6 different Geo ACLs and a default ACL
  - Each ACL has its own zone file , users get served based on Geo
  location. If the users are not part of any geo location they are
served the
  default ACL and zone files.
  - For a few hundred users I want to asign their IPs to specific Geo
  locations even if they do not belong to those locations. I want
to do this
  on the fly without having to edit zone files and if possible
without having
  to reload BIND. I want to keep it as dynamic as possible.

Any input please ?

Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic ACL

2015-04-08 Thread Ali Jawad 
Hi Barry
I would rather not do that through editing text files unless it is the last
option. I want this dynamic and scalable . Down the road users will have
option to change their view as such simultaneous read/write might happen
Regards
On Apr 8, 2015 4:42 PM, Barry Margolin bar...@alum.mit.edu wrote:

 In article mailman.1908.1428494842.26362.bind-us...@lists.isc.org,
  Ali Jawad alijaw...@gmail.com wrote:

  Hi
  I am running BIND 9.10 and I have looked through various options
 including
  DLZ and RPZ but I am still not sure if they can do what I need or if i
 need
  to look at something different. Here is my scenario and I would
 appreciate
  if you could advice me.
 
 
 - I do have 6 different Geo ACLs and a default ACL
- Each ACL has its own zone file , users get served based on Geo
location. If the users are not part of any geo location they are
  served the
default ACL and zone files.
- For a few hundred users I want to asign their IPs to specific Geo
locations even if they do not belong to those locations. I want
  to do this
on the fly without having to edit zone files and if possible
  without having
to reload BIND. I want to keep it as dynamic as possible.
 
  Any input please ?
 
  Regards

 Sounds like you should be able to do this all with views. When you
 reassign an IP, you edit named.conf to change the match-address
 clause, and use rndc reconfig to load the new named.conf file.

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dynamic update of split view acl

2015-02-28 Thread Robert Senger 
Hi Matt,

in my understanding, rndc reload zone in view reloads the zone
file only, not the configuration where the matched-clients { }
statement is listed. So, you'll have to run a full config reload if you
change the matched-clients { } list.

I just wonder why you want to move a client's ip from one view to the
other?

Cheers,
 
Robert

 Am Samstag, den 28.02.2015, 04:27 -0800 schrieb Matt Calder:
 .57.0.0/24 is still matched
 by view1. Is there any way to accomplish this?

-- 
Robert Senger robert.sen...@microscopium.de
PGP/GPG Public Key ID: 24E78B5E


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dynamic update of split view acl

2015-02-28 Thread Matt Calder 
I'm running BIND 9.9.5-3 on Ubuntu 14.04.1.

I'm trying to figure out how to change the match-clients prefixes in a view
without having to restart BIND or do full config reload. My actual BIND
config has many views and restarts can take several minutes.

Here is my simple test set up.















*view view1 {match-clients { 204.57.0.0/24
http://204.57.0.0/24; 204.57.5.0/24 http://204.57.5.0/24; };zone
domaintest.com http://domaintest.com/ in {type master;
file /etc/bind/view1.zone;};};view view2 {match-clients
{ 216.55.18.0/24 http://216.55.18.0/24; };zone domaintest.com
http://domaintest.com/ in {type master;file
/etc/bind/view2.zone;};};*


Say I move 204.57.0.0/24 from view1 to view2, my hope was that I could
simply do


*$ rndc reload domaintest.com http://domaintest.com/ in view1$ rndc
reload domaintest.com http://domaintest.com/ in view2*

and match-clients would also be updated but this doesn’t work. I increment
the serial of view1.zone and view2.zone, but 204.57.0.0/24 is still matched
by view1. Is there any way to accomplish this?

Thanks,
Matt
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dynamic update of split view acl

2015-02-28 Thread /dev/rob0 
On Sat, Feb 28, 2015 at 04:27:36AM -0800, Matt Calder wrote:
 I'm running BIND 9.9.5-3 on Ubuntu 14.04.1.
 
 I'm trying to figure out how to change the match-clients prefixes 
 in a view without having to restart BIND or do full config reload. 
 My actual BIND config has many views and restarts can take several 
 minutes.

Did you try rndc reconfig?  That might be a bit faster because it 
doesn't reload zones.

 Here is my simple test set up.

Unfortunately HTMLified by your MUA.

 *view view1 {match-clients { 204.57.0.0/24
 http://204.57.0.0/24; 204.57.5.0/24 http://204.57.5.0/24; };zone
 domaintest.com http://domaintest.com/ in {type master;
 file /etc/bind/view1.zone;};};view view2 {match-clients
 { 216.55.18.0/24 http://216.55.18.0/24; };zone domaintest.com
 http://domaintest.com/ in {type master;file
 /etc/bind/view2.zone;};};*

I'd recommend using acl statements:

#v+
# here I am naming each component network
# (use names that make sense to you)
acl net-57-0 { 204.57.0.0/24; };
acl net-57-5 { 204.57.5.0/24; };
acl net-216-55-18 { 216.55.18.0/24; };
# and then I build the composite networks per view
acl view1 { net-57-0; net-57-5; };
acl view2 { net-216-55-18; };

# That done, use the composites as match-clients:

view view1 {
match-clients { view1; };
... (other view stuff) ...
};

view view2 {
match-clients { view2; };
... (other view stuff) ...
};
#v-

 Say I move 204.57.0.0/24 from view1 to view2, my hope was that I 
 could simply do
 
 
 *$ rndc reload domaintest.com http://domaintest.com/ in view1
 $ rndc reload domaintest.com http://domaintest.com/ in view2*
 
 and match-clients would also be updated but this doesn’t work.
 I increment the serial of view1.zone and view2.zone, but 
 204.57.0.0/24 is still matched by view1. Is there any way to 
 accomplish this?

Right.  So you redo your acl statements and do rndc reconfig.

The acls are simply there to make it easier to manage.  The real 
answer is reconfig.  That will work even without acls.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dynamic update of split view acl

2015-02-28 Thread Matt Calder 
Hi Robert,

Thanks for the reply.

I also should have mentioned that this is for an authoritative DNS setup.
I'm evaluating different DNS options to support CDN-like testbed where, due
to Internet path changes/outages, I would ideally like the ability to
rapidly change where particular clients are directed. Appreciate any
additional suggestions!

Thanks,
Matt

On Sat, Feb 28, 2015 at 4:48 AM, Robert Senger rs-...@microscopium.de
wrote:

 Hi Matt,

 in my understanding, rndc reload zone in view reloads the zone
 file only, not the configuration where the matched-clients { }
 statement is listed. So, you'll have to run a full config reload if you
 change the matched-clients { } list.

 I just wonder why you want to move a client's ip from one view to the
 other?

 Cheers,

 Robert

  Am Samstag, den 28.02.2015, 04:27 -0800 schrieb Matt Calder:
  .57.0.0/24 is still matched
  by view1. Is there any way to accomplish this?

 --
 Robert Senger robert.sen...@microscopium.de
 PGP/GPG Public Key ID: 24E78B5E

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic update the ip addresses list defined within acl clause

2014-01-29 Thread Alan Clegg 

On Jan 29, 2014, at 7:45 AM, Pika.Aman a...@thingsto.me wrote:

 Hi there,
 
   I would like to ask if there exists any way to dynamic update the ip 
 addresses in the list of the ACL clause without reload or re-start the bind 
 server? Hoping someone can help me! Thank you!!

You could put the definition of the ACL into a file that you INCLUDE into the 
config file and then, when you modify it, do a rndc reconfig which should not 
impact your service too much.

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic update the ip addresses list defined within acl clause

2014-01-29 Thread Matus UHLAR - fantomas 

On 29.01.14 14:45, Pika.Aman wrote:


I would like to ask if there exists any way to dynamic update the ip
addresses in the list of the ACL clause without reload or re-start the
bind server?  Hoping someone can help me!  Thank you!!


No, the dynamic configuration like this is not supported.  However, you
should be able to configure signature-based updates (I think SIG(0) does
that).


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic update the ip addresses list defined within acl clause

2014-01-28 Thread Pika.Aman 
Hi there, 

I would like to ask if there exists any way to dynamic update the ip addresses 
in the list of the ACL clause without reload or re-start the bind server? 
Hoping someone can help me! Thank you!! 

-- 
Pika Aman
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance impact of a large ACL list.

2013-02-08 Thread Shane Kerr 
Augie,

On Monday, 2013-02-04 19:01:38 -0600, 
Jeremy C. Reed jr...@isc.org wrote:
 On Mon, 4 Feb 2013, Augie Schwer wrote:
 
  Does anyone have any experience using a large ( 1k ) entry ACL list?
  Was there any performance degradation?
  
  I haven't implemented my ACL yet, but it has quickly ballooned up,
  and I am hoping to get some advice from others in a similar
  situation.
 
 It has been a few years since I researched this.  (I should re-add
 this to my existing performance and resource usage tests.)
 
 BIND 9.5 had various ACL improvements including support for O(1) ACL 
 processing, based on radix tree code. As one example, with 20,000 to 
 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, 
 while the new version has around 21,000 qps.

This specific change should mean that adding IP-based ACL will not slow
down ACL performance.

However, if you are using TSIG-based ACL then we can't store them in
a radix tree, and these still scale linearly with the number of
entries, IIRC. I suppose we can change this to a tree-based structure at
some point if there is a real need for large TSIG-based ACL. It still
won't be as fast as IP-based ACL, but it should be much faster than the
simple list-based implementation we have now.

Cheers,

--
Shane
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Performance impact of a large ACL list.

2013-02-04 Thread Augie Schwer 
Does anyone have any experience using a large ( 1k ) entry ACL list?

Was there any performance degradation?

I haven't implemented my ACL yet, but it has quickly ballooned up, and I am
hoping to get some advice from others in a similar situation.


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Performance impact of a large ACL list.

2013-02-04 Thread Jeremy C. Reed 
On Mon, 4 Feb 2013, Augie Schwer wrote:

 Does anyone have any experience using a large ( 1k ) entry ACL list?
 Was there any performance degradation?
 
 I haven't implemented my ACL yet, but it has quickly ballooned up, and I am
 hoping to get some advice from others in a similar situation.

It has been a few years since I researched this.  (I should re-add this 
to my existing performance and resource usage tests.)

BIND 9.5 had various ACL improvements including support for O(1) ACL 
processing, based on radix tree code. As one example, with 20,000 to 
100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, 
while the new version has around 21,000 qps.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ACL per listening IP address ?

2012-09-27 Thread Oscar Ricardo Silva 
I have several multi-homed caching servers and am using anycast.  Each 
server has it's native interface and then all of them advertise two 
other IP addresses, 128.83.185.40 and 128.83.185.41.  BIND only listens 
on these other two IP addresses.  There is no problem with this setup, 
it works fine and queries are serviced without problem.



options {
listen-on port 53 {
128.83.185.40;
128.83.185.41;
};


Since these different physical servers are advertising the same IP 
addresses (the two above), verifying the status/health of the instance 
of BIND is tricky.  Basically we have a script running on each server 
which is used by our monitoring service.


Is there a way to apply individual BIND ACLs to each of the listening 
interfaces, restricting who can query that particular address? My idea 
is to add the native (unique) interface to named.conf but only allow 
certain IP addresses to issue queries against it.


I'm not very familiar with the concept of views but I wonder if the 
match-client statement might be the way to go.  Alternatively we can 
setup an external ACL (or firewall statement) that only allows queries 
to the native address from our monitoring service.


Clear as mud?


Oscar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL per listening IP address ?

2012-09-27 Thread Evan Hunt 
 I'm not very familiar with the concept of views but I wonder if the 
 match-client statement might be the way to go.

It sounds like the one you're interested in is match-destinations
actually.

options {
listen-on port 53 { 128.83.185.40; 128.83.185.41; NATIVE IP; };
...
};

view monitor {
match-destinations { NATIVE IP; };
recursion no;
allow-query { localhost; };
zone testzone {
type master;
file test.db;
};
};

view others {
match-destinations { any; };
recursion yes;
allow-recursion { ... };
...
};

Any queries sent to NATIVE IP would then be routed into the monitor
view, and any queries sent to the public-facing addresses would go to
the others view.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-30 Thread Cathy Almond 
On 30/08/12 03:19, GS Bryan wrote:
 My BIND version, as shown by 'named -v' is BIND 
 9.9.1-P1-RedHat-9.9.1-2.P1.el6.
 
 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever.
 --
 Bryan S.G.
 

You're correct - named-checkconf doesn't see the problem, but named
errors during start-up.  I'm opening a bug ticket for you.

Cathy

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-30 Thread Cathy Almond 
On 30/08/12 03:17, GS Bryan wrote:
 hmm... that explains it.
 
 Damn, DNSMadeEasy needs to have notify notices sent to a different IP
 set than their nameserver service. This means that I have to hardcode
 this myself.
 
 Another question then, if zone 'example.net' has the NS records of
 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net'
 (its IP address is 101.1.2.1), then if I put the 'also-notify {
 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when
 the zone file is modified, notify messages will be sen to 101.1.1.1,
 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right?

Yes (except for the master listed in the SOA record), and unless you
have 'notify explicit;' set.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem with ACL in named.conf

2012-08-29 Thread GS Bryan 
I tried to use the acl statement in my named.conf file, but I have a
hard time making it work. In my named.conf file, I've put these acl
statements in these formats (made up IP addresses mind you):-

--
// Individual ACL list

acl addr1 {
11.22.33.44;
12.23.34.45;
};

acl addr2 {
22.33.44.55;
5.4.3.2;
99.0.0.0;
};

acl addr3 {
111.3.4.5;
2001:3000::1;
122.3.4.5;
2001:3000::2;
};


// Nested ACLs list

acl alladdr {
addr1;
addr2;
addr3;
};



Then when I put the 'alladdr' thing in my 'allow-transfer' and
'also-notify' arguments, as shown below, BIND will fail to start:-

---

zone example.net {
type master;
file examplenet.conf;
allow-transfer { alladdr; };
also-notify { alladdr; };
key-directory keys/examplenet/;
inline-signing yes;
auto-dnssec maintain;
};

---

Here is the log:-

--

BIND 9 is maintained by Internet Systems Consortium,
Inc. (ISC), a non-profit 501(c)(3) public-benefit
corporation.  Support and training for BIND 9 are
available at https://www.isc.org/support

adjusted limit on open files from 1024 to 1048576
found 1 CPU, using 1 worker thread
using 1 UDP listener per interface
using up to 4096 sockets
loading configuration from '/etc/named.conf'
reading built-in trusted keys from file '/etc/named.iscdlv.key'
using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface venet0:0, redacted#53
listening on IPv6 interface lo, ::1#53
listening on IPv6 interface venet0, redacted#53
generating session key for dynamic DNS
sizing zone task pool based on 10 zones
/etc/named.conf:111: masters alladdr not found
loading configuration: not found
exiting (due to fatal error)
-

From examples I read from the Internet, I don;t think I have done
anything wrong. If I put all the IP addresses from addr1, addr2 and
addr3 into the allow-transfer and also-notify statements, BIND will
start normally without problems.

Thanks for reading.
--
Bryan S.G.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread Doug Barton 
On 08/29/2012 03:25 PM, GS Bryan wrote:
 Then when I put the 'alladdr' thing in my 'allow-transfer' and
 'also-notify' arguments,

also-notify does not take an acl. The ARM will give you more information
on the grammar.

That said, this is a very annoying problem that I wish there was a
better solution for. I used to build my conf files with m4 to work
around this, but that was a big hammer for a very large installation.
You might be able to do something simpler by putting notes in the conf
to remind people who update 1 area to also update the other.

Doug
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread Jeremy C. Reed 
On Thu, 30 Aug 2012, GS Bryan wrote:

 also-notify { alladdr; };

This uses an ip_addr instead of an address_match_list. Some versions of 
named-checkconf will tell you expected IP address.

 /etc/named.conf:111: masters alladdr not found

I can't reproduce your problem. What version of BIND are you running?  
(I am surprised it didn't log the version.)  Also please consider using 
named-checkconf in your testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread Mark Andrews 

In message 
CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=q...@mail.gmail.com
, GS Bryan writes:
 I tried to use the acl statement in my named.conf file, but I have a
 hard time making it work. In my named.conf file, I've put these acl
 statements in these formats (made up IP addresses mind you):-
 
 --
 // Individual ACL list
 
 acl addr1 {
   11.22.33.44;
   12.23.34.45;
 };
 
 acl addr2 {
   22.33.44.55;
   5.4.3.2;
   99.0.0.0;
 };
 
 acl addr3 {
   111.3.4.5;
   2001:3000::1;
   122.3.4.5;
   2001:3000::2;
 };
 
 
 // Nested ACLs list
 
 acl alladdr {
   addr1;
   addr2;
   addr3;
 };
 
 
 
 Then when I put the 'alladdr' thing in my 'allow-transfer' and
 'also-notify' arguments, as shown below, BIND will fail to start:-

also-notify does not take a ACL (it is not a access control).
It will take a named masters list.

 ---
 
 zone example.net {
 type master;
 file examplenet.conf;
 allow-transfer { alladdr; };
 also-notify { alladdr; };
   key-directory keys/examplenet/;
   inline-signing yes;
   auto-dnssec maintain;
 };
 
 ---
 
 Here is the log:-
 
 --
 
 BIND 9 is maintained by Internet Systems Consortium,
 Inc. (ISC), a non-profit 501(c)(3) public-benefit
 corporation.  Support and training for BIND 9 are
 available at https://www.isc.org/support
 
 adjusted limit on open files from 1024 to 1048576
 found 1 CPU, using 1 worker thread
 using 1 UDP listener per interface
 using up to 4096 sockets
 loading configuration from '/etc/named.conf'
 reading built-in trusted keys from file '/etc/named.iscdlv.key'
 using default UDP/IPv4 port range: [1024, 65535]
 using default UDP/IPv6 port range: [1024, 65535]
 listening on IPv4 interface lo, 127.0.0.1#53
 listening on IPv4 interface venet0:0, redacted#53
 listening on IPv6 interface lo, ::1#53
 listening on IPv6 interface venet0, redacted#53
 generating session key for dynamic DNS
 sizing zone task pool based on 10 zones
 /etc/named.conf:111: masters alladdr not found
 loading configuration: not found
 exiting (due to fatal error)
 -
 
 From examples I read from the Internet, I don;t think I have done
 anything wrong. If I put all the IP addresses from addr1, addr2 and
 addr3 into the allow-transfer and also-notify statements, BIND will
 start normally without problems.

A plain address in a acl is shorthand for address/32 or address/128
depending apon the address type.  While they are visually similar
the two list are functionally very different.

The acl addr3 you have above is short hand for:

acl addr3 {
111.3.4.5/32;
2001:3000::1/128;
122.3.4.5/32;
2001:3000::2/128;
};

You could define master lists as use those.

e.g.
master addr3 {
111.3.4.5;
2001:3000::1;
122.3.4.5;
2001:3000::2;
};

you can even tell named to use specify keys and ports when talking
to the server.

master addr3 {
111.3.4.5 port 333 key ;
2001:3000::1;
122.3.4.5;
2001:3000::2;
};
Mark


 Thanks for reading.
 --
 Bryan S.G.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread Doug Barton 
On 08/29/2012 04:02 PM, Mark Andrews wrote:
 A plain address in a acl is shorthand for address/32 or address/128
 depending apon the address type.  While they are visually similar
 the two list are functionally very different.

Mark,

I understand the behind the scenes reasons why the 2 things are
handled differently. But I still think it would be awesome to have a new
kind of list that accepts bare IP addresses, and can be used inside both
allow-transfer and also-notify. It's a really common issue to need to
configure the same list for both, and having to do it twice in the first
place, and then keep it updated twice down the road, really screams out
for a programmatic solution.

Doug
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread GS Bryan 
hmm... that explains it.

Damn, DNSMadeEasy needs to have notify notices sent to a different IP
set than their nameserver service. This means that I have to hardcode
this myself.

Another question then, if zone 'example.net' has the NS records of
'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net'
(its IP address is 101.1.2.1), then if I put the 'also-notify {
22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when
the zone file is modified, notify messages will be sen to 101.1.1.1,
101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right?
--
Bryan S.G.


On Thu, Aug 30, 2012 at 9:42 AM, Doug Barton do...@dougbarton.us wrote:
 On 08/29/2012 03:25 PM, GS Bryan wrote:
 Then when I put the 'alladdr' thing in my 'allow-transfer' and
 'also-notify' arguments,

 also-notify does not take an acl. The ARM will give you more information
 on the grammar.

 That said, this is a very annoying problem that I wish there was a
 better solution for. I used to build my conf files with m4 to work
 around this, but that was a big hammer for a very large installation.
 You might be able to do something simpler by putting notes in the conf
 to remind people who update 1 area to also update the other.

 Doug
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with ACL in named.conf

2012-08-29 Thread GS Bryan 
My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6.

'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever.
--
Bryan S.G.


On Thu, Aug 30, 2012 at 9:59 AM, Jeremy C. Reed jr...@isc.org wrote:
 On Thu, 30 Aug 2012, GS Bryan wrote:

 also-notify { alladdr; };

 This uses an ip_addr instead of an address_match_list. Some versions of
 named-checkconf will tell you expected IP address.

 /etc/named.conf:111: masters alladdr not found

 I can't reproduce your problem. What version of BIND are you running?
 (I am surprised it didn't log the version.)  Also please consider using
 named-checkconf in your testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

undefined ACL error while running named-checkconf file

2011-12-03 Thread babu dheen 
Hello,
 
I am running slave DNS server using BIND. Today when try to run named-checkconf 
file as below , i am getting highlighted error. 
 
 Kindly assist me
 
 [root@server]# named-checkconf /etc/named.rfc1912.zones
/etc/named.rfc1912.zones:78: undefined ACL 'redhat'
/etc/named.rfc1912.zones:85: undefined ACL 'redhat'
/etc/named.rfc1912.zones:92: undefined ACL 'redhat'
/etc/named.rfc1912.zones:100: undefined ACL 'redhat'
 
My /etc/named.rfc1912.zones file is given below
 
zone . IN {
    type hint;
    file named.ca;
};

zone 227.18.217.in-addr.arpa IN {
  type slave;
  file slaves/svns.company.db ;
  allow-query { redhat; };
  masters { 10.0.0.1; };
};
zone 226.18.217.in-addr.arpa IN {
    type slave;
    file slaves/MX.db ;
    allow-query { redhat; };
    masters { 10.0.0.1; };
};
zone 225.18.217.in-addr.arpa IN {
 type slave;
 file slaves/VPN.db ;
 allow-query { redhat; };
 masters { 10.0.0.1; };
};

zone 232.18.217.in-addr.arpa IN {
 type slave;
 file slaves/drns.company.db ;
 allow-query { redhat; };
 masters { 10.0.0.1; };
};
 
2. My /etc/named.caching-nameserver.conf file content
 
acl redhat { any; };
options {
    listen-on port 53 { 127.0.0.1; 10.0.0.2; };
    directory   /var/named;
    dump-file   /var/named/data/cache_dump.db;
    statistics-file /var/named/data/named_stats.txt;
    memstatistics-file /var/named/data/named_mem_stats.txt;
    query-source    port 53;
logging {
    channel default_debug {
    file data/named.run;
    severity dynamic;
    };
    channel my_file {
 file data/log.msgs;
  severity dynamic;
    };
  category queries { my_file; };
};

view localhost_resolver {
    match-clients  { localhost; 10.0.0.1/23; any; };
 match-destinations { localhost; };
    recursion yes;
    include /etc/named.rfc1912.zones;
 
 
Regards
Papdheen M



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: undefined ACL error while running named-checkconf file

2011-12-03 Thread Anand Buddhdev 
On 03/12/2011 10:57, babu dheen wrote:

 Hello,
  
 I am running slave DNS server using BIND. Today when try to run
 named-checkconf file as below , i am getting highlighted error.
  
  Kindly assist me
  
  [root@server]# named-checkconf /etc/named.rfc1912.zones
 /etc/named.rfc1912.zones:78: undefined ACL 'redhat'
 /etc/named.rfc1912.zones:85: undefined ACL 'redhat'
 /etc/named.rfc1912.zones:92: undefined ACL 'redhat'
 /etc/named.rfc1912.zones:100: undefined ACL 'redhat'

Isn't it kind of obvious? You are checking the syntax of the file
named.rfc1912.zones, but the ACL is refers to is defined in another
file. How will named-checkconf know that the ACL is in another file
called named.caching-nameserver.conf?

You would do better to run named-checkconf on named.caching-nameserver.conf.

Regards,

Anand Buddhdev
RIPE NCC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: undefined ACL error while running named-checkconf file

2011-12-03 Thread babu dheen 
Dear Anand,
 
Yes, both primary and slave running with different version. Will it cause any 
problem if both are running with different version?
 


--- On Sat, 3/12/11, Anand Buddhdev ana...@ripe.net wrote:


From: Anand Buddhdev ana...@ripe.net
Subject: Re: undefined ACL error while running named-checkconf file
To: babu dheen babudh...@yahoo.co.in
Cc: bind-users@lists.isc.org
Date: Saturday, 3 December, 2011, 5:26 PM


On 03/12/2011 12:44, babu dheen wrote:

Babu,

 I am maintaining the same configuration on primary server but when i
 execute the same command refering /etc/named.rfc1912.zones file, i am
 not getting any error.

Are the files identical? Are the versions of BIND on both servers the
same? Obviously, there must be something different, which results in the
error message.

 But when i execute the same command in my slave server, i am getting
 this error.
  
 Can you tell me how to enable the debug logs in bind?

Try reading the BIND manual first. If you don't understand something
specific, ask about it on the bind-users mailing list.

Regards,

Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

correct syntax for TSIG IP restrictions for named-ACL versus just IP?

2010-12-05 Thread pgngw+dev001+bind-users 
i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.

i'm trying to set up to use different TSIG keys with different
secondaries.

in my named.conf, i've

...
acl acl_slave_1 { 1.1.1.1; };
acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
...
zone test.com {
type master; file /master/test.com.hosts;
allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
allow-update { none; };
};
...
key key-slave-1 { algorithm hmac-md5; secret Cf...g==; };
key key-slave-2 { algorithm hmac-md5; secret rl...8==; };

in this conf, IXFR to 1.1.1.1 with TSIG works as expected.  but, *NO*
IXFR occurs to any slave in acl_slave_2{}.

if, however, I change to

--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
+++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!2.2.2.2;}; key key-slave-2; }; };

IXFR to 1.1.1.1  2.2.2.2 both occur OK with TSIG.

also, with

--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
!{!acl_slave_2;}; key key-slave-2; }; };
--- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
acl_slave_2; };

IXFR to 1.1.1.1 with TSIG  to all slaves in acl_slave_2{}, without
TSIG, both occur OK.

what's the right syntax for enabling IXFR to the entire TSIG- 
IP-restricted set of hosts in acl_slave_2{}?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

2010-12-05 Thread Sten Carlsen 
Given that you control your key distribution correctly and safely, would
the following work?

allow-transfer { key key-slave-1; key key-slave-2; };


Only relevant slaves have the various keys, so do you need to have the
IPs mentioned here?


On 05/12/10 18:10, pgngw+dev001+bind-us...@f-m.fm wrote:
 i've bind9 running as a primaryhost to a number of bind-andb-other
 slaves.

 i'm trying to set up to use different TSIG keys with different
 secondaries.

 in my named.conf, i've

   ...
   acl acl_slave_1 { 1.1.1.1; };
   acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; };
   ...
   zone test.com {
   type master; file /master/test.com.hosts;
   allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
   !{!acl_slave_2;}; key key-slave-2; }; };
   allow-update { none; };
   };
   ...
   key key-slave-1 { algorithm hmac-md5; secret Cf...g==; };
   key key-slave-2 { algorithm hmac-md5; secret rl...8==; };

 in this conf, IXFR to 1.1.1.1 with TSIG works as expected.  but, *NO*
 IXFR occurs to any slave in acl_slave_2{}.

 if, however, I change to

   --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
   !{!acl_slave_2;}; key key-slave-2; }; };
   +++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
   !{!2.2.2.2;}; key key-slave-2; }; };

 IXFR to 1.1.1.1  2.2.2.2 both occur OK with TSIG.

 also, with

   --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; {
   !{!acl_slave_2;}; key key-slave-2; }; };
   --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; };
   acl_slave_2; };

 IXFR to 1.1.1.1 with TSIG  to all slaves in acl_slave_2{}, without
 TSIG, both occur OK.

 what's the right syntax for enabling IXFR to the entire TSIG- 
 IP-restricted set of hosts in acl_slave_2{}?
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!! 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

2010-12-05 Thread pgngw+dev001+bind-users 
hi,

On Sun, 05 Dec 2010 19:16 +0100, Sten Carlsen st...@s-carlsen.dk
wrote:
 Given that you control your key distribution correctly and safely, would
 the following work?
 
 allow-transfer { key key-slave-1; key key-slave-2; };
 
 
 Only relevant slaves have the various keys, so do you need to have the
 IPs mentioned here?

the goal is to have both IP-  key- restrictions in place.

fwiw, the orig example i found for this was @:
https://lists.isc.org/pipermail/bind-users/2009-April/075985.html

thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

2010-12-05 Thread Evan Hunt 
 what's the right syntax for enabling IXFR to the entire TSIG- 
 IP-restricted set of hosts in acl_slave_2{}?

I haven't tested this, but I think it will do what you want:

allow-transfer {
{ !{ !1.1.1.1; any; }; key key1; };
{ !{ !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; key key2; };
};

If you want to use named ACLs, then I think you need to define them
backwards, to reject not accept, something like this:

# pass through any host except slave1 hosts
acl notslave1 { !1.1.1.1; any; };

# pass through any host except slave2 hosts
acl notslave2 { !2.2.2.2; !3.3.3.3; !4.4.4.4; any; };

allow-transfer {
{ !notslave1; key key1; };
{ !notslave2; key key2; };
none;
};

I wrote an explanation of BIND ACLs on this list a few years back that
you may find helpful in explaining the syntactic insanity:

http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?

2010-12-05 Thread pgngw+dev001+bind-users 

hi,

On Sun, 05 Dec 2010 20:57 +, Evan Hunt e...@isc.org wrote:
 I haven't tested this, but I think it will do what you want:
...
 allow-transfer {
 { !notslave1; key key1; };
 { !notslave2; key key2; };
 none;
 };

this !acl format works, but only in the single ACL case.  i.e.,

  allow-transfer { { !notslave1; key key1; }; none; };
  allow-transfer { { !notslave2; key key2; }; none; };

both work as expected.  but,

  allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; };
  none; };

only enables AXFR to slave1 -- slave2 no longer seems to initiate any
transfers, as if it's not getting any notify.

still poking around ...

 I wrote an explanation of BIND ACLs on this list a few years back that
 you may find helpful in explaining the syntactic insanity:
 
 http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html

yes, to 'insanity', and yes to 'helpful'.  thanks!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2

2010-09-28 Thread Mark Andrews 

Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2

Description: There was a  flaw where the wrong ACL was applied. This  
flaw could allow access to a cache via recursion even though the ACL  
disallowed it.

CVE:  pending

CERT:  pending

Posting date:  2010-09-28

Program Impacted:  BIND

Versions affected:  9.7.2 through 9.7.2-P1

Severity:  low

Exploitable:  remotely

Impact: Unintended availability of cache data.

Workaround: Upgrade to BIND 9.7.2-P2. No other workaround is currently  
known.

Risk Assessment:  This bug is primarily a risk to operators running  
both authoritative and recursive DNS on the same BIND server in the  
same view.

Acknowledgements: Thank you to Alexandre Simon for finding and  
testing  this issue.

For more information on BIND 9.7.2-P2, Release notes can be found at:
http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html

Please address questions or concerns to laris...@isc.org or
security-offi...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ACL for forward zone

2010-07-12 Thread Prabhat Rana 
Hello all,
I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a 
certain internal private IP zone to a certain internal DNS severs. In the 
meantime I need to use certain ACL so that it would forward the queries and 
reply to them only from certain IP address clients. So I used the following 
conifgs in named.conf

acl Internal {10.0.1.0/24)


zone 10.in-addr.arpa in {
type forward;
forwarders { 1.2.3.4; 5.6.7.8; };
allow-query { Internal; };

However  it appears I can't use 'allow query' option in forward zone as seen in 
the syslog
/etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone 
'10.in-addr.arpa'

Basically you know what I'm trying to achieve. So if anyone has any tip how can 
I use forward from the clients only within certain IP address range, that would 
be great.

Prabhat.



  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL for forward zone

2010-07-12 Thread Nuno Paquete 

Hi Prabhat,

I think you don't need this ACL in your forwarder server, define it on  
the authoritative server (1.2.3.4 and 5.6.7.8, according to your  
example).


Regards,
Nuno Paquete

No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com  
escreveu:



Hello all,
I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder  
for a certain internal private IP zone to a certain internal DNS  
severs. In the meantime I need to use certain ACL so that it would  
forward the queries and reply to them only from certain IP address  
clients. So I used the following conifgs in named.conf


acl Internal {10.0.1.0/24)


zone 10.in-addr.arpa in {
   type forward;
   forwarders { 1.2.3.4; 5.6.7.8; };
   allow-query { Internal; };

However  it appears I can't use 'allow query' option in forward zone  
as seen in the syslog
/etc/named.conf:102: option 'allow-query' is not allowed in  
'forward' zone '10.in-addr.arpa'


Basically you know what I'm trying to achieve. So if anyone has any  
tip how can I use forward from the clients only within certain IP  
address range, that would be great.


Prabhat.




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL for forward zone

2010-07-12 Thread Prabhat Rana 
Hi Nuno,
Thanks for the response. However, I don't own the authoritative servers. And 
the clients that I am serving don't have direct access to the authoritative 
servers.

Prabhat.

--- On Mon, 7/12/10, Nuno Paquete nunopaqu...@lusocargo.pt wrote:

 From: Nuno Paquete nunopaqu...@lusocargo.pt
 Subject: Re: ACL for forward zone
 To: Prabhat Rana prana9...@yahoo.com
 Cc: bind-users@lists.isc.org
 Date: Monday, July 12, 2010, 4:17 PM
 Hi Prabhat,
 
 I think you don't need this ACL in your forwarder server,
 define it on  
 the authoritative server (1.2.3.4 and 5.6.7.8, according to
 your  
 example).
 
 Regards,
 Nuno Paquete
 
 No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com 
 
 escreveu:
 
  Hello all,
  I have BIND 9.7.1 installed in Solaris 10. I need to
 use a forwarder  
  for a certain internal private IP zone to a certain
 internal DNS  
  severs. In the meantime I need to use certain ACL so
 that it would  
  forward the queries and reply to them only from
 certain IP address  
  clients. So I used the following conifgs in
 named.conf
 
  acl Internal {10.0.1.0/24)
 
 
  zone 10.in-addr.arpa in {
         type forward;
         forwarders { 1.2.3.4;
 5.6.7.8; };
         allow-query { Internal;
 };
 
  However  it appears I can't use 'allow query'
 option in forward zone  
  as seen in the syslog
  /etc/named.conf:102: option 'allow-query' is not
 allowed in  
  'forward' zone '10.in-addr.arpa'
 
  Basically you know what I'm trying to achieve. So if
 anyone has any  
  tip how can I use forward from the clients only within
 certain IP  
  address range, that would be great.
 
  Prabhat.
 
 
 
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users

 


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL for forward zone

2010-07-12 Thread Richard Tom 

The syntax for a forward zone is:

zone domain_name http://www.bind9.net/doc-v8/docdef.html [ ( in | hs | hesiod | chaos ) ] { 
 type forward;

 [ forward ( only | first ); ]
 [ forwarders { [ ip_addr http://www.bind9.net/doc-v8/docdef.html ; [ ip_addr 
; ... ] ] }; ]
 [ check-names ( warn | fail | ignore ); ]
};


For the kind of access control you're trying to achieve, use a view.  
The syntax is as follows.

view view_name
[class] {
match-clients { address_match_list };
match-destinations { address_match_list };
match-recursive-only yes_or_no ;
[ view_option; ...]
[ zone_statement; ...]
};

Do some perusing of the Administrator's Reference Manual (ARM).  You 
might find the information in there quite useful.


Regards,
Richard

Prabhat Rana wrote:

Hi Nuno,
Thanks for the response. However, I don't own the authoritative servers. And 
the clients that I am serving don't have direct access to the authoritative 
servers.

Prabhat.

--- On Mon, 7/12/10, Nuno Paquete nunopaqu...@lusocargo.pt wrote:

  

From: Nuno Paquete nunopaqu...@lusocargo.pt
Subject: Re: ACL for forward zone
To: Prabhat Rana prana9...@yahoo.com
Cc: bind-users@lists.isc.org
Date: Monday, July 12, 2010, 4:17 PM
Hi Prabhat,

I think you don't need this ACL in your forwarder server,
define it on  
the authoritative server (1.2.3.4 and 5.6.7.8, according to
your  
example).


Regards,
Nuno Paquete

No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com 


escreveu:



Hello all,
I have BIND 9.7.1 installed in Solaris 10. I need to
  
use a forwarder  


for a certain internal private IP zone to a certain
  
internal DNS  


severs. In the meantime I need to use certain ACL so
  
that it would  


forward the queries and reply to them only from
  
certain IP address  


clients. So I used the following conifgs in
  

named.conf


acl Internal {10.0.1.0/24)


zone 10.in-addr.arpa in {
type forward;
forwarders { 1.2.3.4;
  

5.6.7.8; };


allow-query { Internal;
  

};


However  it appears I can't use 'allow query'
  
option in forward zone  


as seen in the syslog
/etc/named.conf:102: option 'allow-query' is not
  
allowed in  


'forward' zone '10.in-addr.arpa'

Basically you know what I'm trying to achieve. So if
  
anyone has any  


tip how can I use forward from the clients only within
  
certain IP  


address range, that would be great.

Prabhat.




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  


  



  
___

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  


The information transmitted in this email and any of its attachments is 
intended only for the person or entity to which it is addressed and may contain 
Cablevision proprietary information, which is privileged, confidential, or 
subject to copyright belonging to Cablevision. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon, this 
information by persons or entities other than the intended recipient is 
prohibited and may be unlawful. If you received this in error, please contact 
the sender immediately and delete and destroy the communication and all of the 
attachments you have received and all copies thereof.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

any IPv6 ACL for BIND

2010-03-30 Thread ivan jr sy 
hi all,

is there a built-in ACL that represents any IPv6 connection?

I have some experiment with allow-query { aclhere; };

where aclhere represents any IPv6 network, anywhere from the Internet.

If there's no built-in, what is the best way to come up with an equivalent?

Thanks!


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: any IPv6 ACL for BIND

2010-03-30 Thread Evan Hunt 
 If there's no built-in, what is the best way to come up with an equivalent?

I think this will work:

acl any6 { ::0/0; };
acl any4 { 0.0.0.0/0; };

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: check-names vs. acl

2010-02-26 Thread Matus UHLAR - fantomas 
 In message 20100225123134.gb2...@fantomas.sk, Matus UHLAR - fantomas writes:
  On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
   I see that hosts that are not allowed to recurse are often generating
   check-named errors.
  
  check-names it is.
  
  I apparently too often use named so I do this king of mistypes.
  
   I wonder if it wouldn't be better to check ACL's first and check-names 
   just
   after it?

On 26.02.10 13:08, Mark Andrews wrote:
 It really depends what's more important for you to see.  Whether
 you got a recursive query that didn't match a acl or a query that
 failed check-names.  Both get REFUSED so the client can't tell the
 difference.

I personally don't care about broken requests from unknown IPs and would
like to log them as unauthorized, not invalid requests.
My question is if this is acceptable and doable.
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

check-named vs. acl

2010-02-25 Thread Matus UHLAR - fantomas 
Hello,

I see that hosts that are not allowed to recurse are often generating
check-named errors.

I wonder if it wouldn't be better to check ACL's first and check-names just
after it?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

check-names vs. acl

2010-02-25 Thread Matus UHLAR - fantomas 
On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
 I see that hosts that are not allowed to recurse are often generating
 check-named errors.

check-names it is.

I apparently too often use named so I do this king of mistypes.

 I wonder if it wouldn't be better to check ACL's first and check-names just
 after it?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: check-names vs. acl

2010-02-25 Thread Mark Andrews 

In message 20100225123134.gb2...@fantomas.sk, Matus UHLAR - fantomas writes:
 On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
  I see that hosts that are not allowed to recurse are often generating
  check-named errors.
 
 check-names it is.
 
 I apparently too often use named so I do this king of mistypes.
 
  I wonder if it wouldn't be better to check ACL's first and check-names just
  after it?

It really depends what's more important for you to see.  Whether
you got a recursive query that didn't match a acl or a query that
failed check-names.  Both get REFUSED so the client can't tell the
difference.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-19 Thread Joseph S D Yao 
On Sun, Oct 18, 2009 at 03:35:34PM +0100, Chris Thompson wrote:
...
 As long ago as BIND 9.2, you'll find this in the CHANGES file:
 
  764.   [func]  Configuration files now allow include directives
 in more places, such as inside the view statement.
 [RT #377, #728, #860]
 
 Roughly, include can occur instead of a keyword in any list where all
 list elements are introduced by keywords; e.g. view, options, logging,
 zone. But not acl because the elements there do not (in general) start
 with keywords.


Yes.  I meant to say, wherever statements are legal.  I did not note
that there are statements that allow other statements inside themselves;
only inside such statements are other statements legal.  There are
specifically documented lists of which are legal within which; I do not
remember if those lists are complete - in the light of changes being
made, I would not be surprised either way.


 For the whole truth, you need to look at lib/isccfg/namedconf.c and
 lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
 in the latter gets called :-(


As I've said before, only the code never lies.  But it may take some
exegesis.


-- 
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-19 Thread Matus UHLAR - fantomas 
On 19.10.09 09:49, Mark Andrews wrote:
 acl's can include other acls.
 I'm having a hard time seeing why you need to include a file here.
 
 include custom.acl; // defines acl customacl
 
 acl hdanets {
   92.168.1.0/24; // hda network
   customacl;
 };

otoh, it could ease configuration of multiple files if only plain IP/CIRD
list could be loaded within an ACL statement...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-18 Thread Chris Thompson 

On Oct 18 2009, Joseph S D Yao wrote:


On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
I am trying to build up an environment where the user can maintain 
custom files and leave the basic files alone.


So I have a named.acl that works, I add an include line:

acl hdanets {
192.168.1.0/24; // hda network
include custom.acl;
};


and get the error:

Starting named:
Error in named configuration:
named.acl:3: missing ';' before ''

...


Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
it seems to me that include is a statement, and needs to be parsed
outside of any other statements, not inside a statement.  


That's what it *says* ... but it is being economical with the truth!


 Inside the
acl statement the parser would expect to see IP addresses, networks in
the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
key, and the names of other ACLs.  When it encounters the word
include in this context, it parses it as the name of an ACL - after
which, the '' is out of place.


As long ago as BIND 9.2, you'll find this in the CHANGES file:

764.   [func]  Configuration files now allow include directives
   in more places, such as inside the view statement.
   [RT #377, #728, #860]

Roughly, include can occur instead of a keyword in any list where all
list elements are introduced by keywords; e.g. view, options, logging,
zone. But not acl because the elements there do not (in general) start
with keywords.

For the whole truth, you need to look at lib/isccfg/namedconf.c and
lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
in the latter gets called :-(

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-18 Thread Robert Moskowitz 



Chris Thompson wrote:

On Oct 18 2009, Joseph S D Yao wrote:


On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
I am trying to build up an environment where the user can maintain 
custom files and leave the basic files alone.


So I have a named.acl that works, I add an include line:

acl hdanets {
192.168.1.0/24; // hda network
include custom.acl;
};


and get the error:

Starting named:
Error in named configuration:
named.acl:3: missing ';' before ''

...


Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
it seems to me that include is a statement, and needs to be parsed
outside of any other statements, not inside a statement.  


That's what it *says* ... but it is being economical with the truth!


 Inside the
acl statement the parser would expect to see IP addresses, networks in
the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
key, and the names of other ACLs.  When it encounters the word
include in this context, it parses it as the name of an ACL - after
which, the '' is out of place.


As long ago as BIND 9.2, you'll find this in the CHANGES file:

764.   [func]  Configuration files now allow include directives
   in more places, such as inside the view 
statement.

   [RT #377, #728, #860]

Roughly, include can occur instead of a keyword in any list where all
list elements are introduced by keywords; e.g. view, options, 
logging,
zone. But not acl because the elements there do not (in general) 
start

with keywords.


Oh, fiddlesticks  ;)'

This complicates matters.  It would have made it very easy to bootstrap 
into this process if this was supported.




For the whole truth, you need to look at lib/isccfg/namedconf.c and
lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
in the latter gets called :-( 


I am not much into reading c code.  I never really programmed in c.  Did 
do some programming in b


So reading someone elses script and recommending changes has been 
challenging enough!



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-18 Thread Mark Andrews 

In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes:
 
 
 Chris Thompson wrote:
  On Oct 18 2009, Joseph S D Yao wrote:
 
  On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
  I am trying to build up an environment where the user can maintain 
  custom files and leave the basic files alone.
 
  So I have a named.acl that works, I add an include line:
 
  acl hdanets {
  192.168.1.0/24; // hda network
  include custom.acl;
  };
 
 
  and get the error:
 
  Starting named:
  Error in named configuration:
  named.acl:3: missing ';' before ''
  ...
 
 
  Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
  it seems to me that include is a statement, and needs to be parsed
  outside of any other statements, not inside a statement.  
 
  That's what it *says* ... but it is being economical with the truth!
 
   Inside the
  acl statement the parser would expect to see IP addresses, networks in
  the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
  key, and the names of other ACLs.  When it encounters the word
  include in this context, it parses it as the name of an ACL - after
  which, the '' is out of place.
 
  As long ago as BIND 9.2, you'll find this in the CHANGES file:
 
  764.   [func]  Configuration files now allow include directives
 in more places, such as inside the view 
  statement.
 [RT #377, #728, #860]
 
  Roughly, include can occur instead of a keyword in any list where all
  list elements are introduced by keywords; e.g. view, options, 
  logging,
  zone. But not acl because the elements there do not (in general) 
  start
  with keywords.
 
 Oh, fiddlesticks  ;)'
 
 This complicates matters.  It would have made it very easy to bootstrap 
 into this process if this was supported.

acl's can include other acls.
I'm having a hard time seeing why you need to include a file here.

include custom.acl;   // defines acl customacl

acl hdanets {
92.168.1.0/24; // hda network
customacl;
};

  For the whole truth, you need to look at lib/isccfg/namedconf.c and
  lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
  in the latter gets called :-( 
 
 I am not much into reading c code.  I never really programmed in c.  Did 
 do some programming in b
 
 So reading someone elses script and recommending changes has been 
 challenging enough!
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-18 Thread Robert Moskowitz 

Mark Andrews wrote:

In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes:
  

Chris Thompson wrote:


On Oct 18 2009, Joseph S D Yao wrote:

  

On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:

I am trying to build up an environment where the user can maintain 
custom files and leave the basic files alone.


So I have a named.acl that works, I add an include line:

acl hdanets {
192.168.1.0/24; // hda network
include custom.acl;
};


and get the error:

Starting named:
Error in named configuration:
named.acl:3: missing ';' before ''
  

...


Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
it seems to me that include is a statement, and needs to be parsed
outside of any other statements, not inside a statement.  


That's what it *says* ... but it is being economical with the truth!

  

 Inside the
acl statement the parser would expect to see IP addresses, networks in
the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
key, and the names of other ACLs.  When it encounters the word
include in this context, it parses it as the name of an ACL - after
which, the '' is out of place.


As long ago as BIND 9.2, you'll find this in the CHANGES file:

764.   [func]  Configuration files now allow include directives
   in more places, such as inside the view 
statement.

   [RT #377, #728, #860]

Roughly, include can occur instead of a keyword in any list where all
list elements are introduced by keywords; e.g. view, options, 
logging,
zone. But not acl because the elements there do not (in general) 
start

with keywords.
  

Oh, fiddlesticks  ;)'

This complicates matters.  It would have made it very easy to bootstrap 
into this process if this was supported.



acl's can include other acls.
I'm having a hard time seeing why you need to include a file here.

include custom.acl; // defines acl customacl

acl hdanets {
92.168.1.0/24; // hda network
customacl;
};
  


Neat.

Though I solved the problem by having 2 includes in named.conf, for 
named.acl and custom.acl.  Then in the view, I listed two variables:  
hdanets; customnets


So is the case of six of one, half-a-dozen of the other?  That is they 
are equal solutions to this situation?


As for why I am doing this, hdanets.acl is built by the system's script 
that I have no control over.  It will contain what the script has on my 
internal networks.  It only supports one network.  But some users of 
this system (like me) have a number of internal networks that we want to 
be able to access this system, so custom.acl is outside of the 
controlling script and can be maintained by an informed installer, like 
me.  There is also a custom-zone.conf and custom-n2a.zone and 
custom-a2n.zone...


As we improve the system, there will be less need for these, but I 
believe they will always be needed.


Oh, the system this is for is AMAHI.ORG.

  

For the whole truth, you need to look at lib/isccfg/namedconf.c and
lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
in the latter gets called :-( 
  
I am not much into reading c code.  I never really programmed in c.  Did 
do some programming in b


So reading someone elses script and recommending changes has been 
challenging enough!



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problems with include in acl file

2009-10-17 Thread Robert Moskowitz 
I am trying to build up an environment where the user can maintain 
custom files and leave the basic files alone.


So I have a named.acl that works, I add an include line:

acl hdanets {
   192.168.1.0/24; // hda network
   include custom.acl;
};


and get the error:

Starting named:
Error in named configuration:
named.acl:3: missing ';' before ''
  [FAILED]


The file custom.acl exists and it contains:

   192.168.2.0/24;

Perhaps includes are not allowed in .acl files?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with include in acl file

2009-10-17 Thread Joseph S D Yao 
On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
 I am trying to build up an environment where the user can maintain 
 custom files and leave the basic files alone.
 
 So I have a named.acl that works, I add an include line:
 
 acl hdanets {
 192.168.1.0/24; // hda network
 include custom.acl;
 };
 
 
 and get the error:
 
 Starting named:
 Error in named configuration:
 named.acl:3: missing ';' before ''
...


Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf,
it seems to me that include is a statement, and needs to be parsed
outside of any other statements, not inside a statement.  Inside the
acl statement the parser would expect to see IP addresses, networks in
the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
key, and the names of other ACLs.  When it encounters the word
include in this context, it parses it as the name of an ACL - after
which, the '' is out of place.

It seems to me.

[Hmmm ... one can include {lists; in; braces;}; inside ACL lists - I'm
not sure how this is useful here.]

Another way of saying this - unlike in the C language, where #include
is part of a meta-language pre-processor run before the actual language
processor, in the configuration file, include is a part of the actual
language being parsed, and so must appear only where it's expected, and
not at any random position.

I hope that this helps.


-- 
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ACL ?

2009-03-23 Thread John D. Vo 

Greetings:

Trying to implement acl in my named.conf... for Bind 9.2.2

acl eagle { 192.168.1.0/24; localhost; };

But when I issued an reload, I got:

Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] 
/etc/named.conf:2: unknown option 'acl'
Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading 
configuration failed: failure



Help?

Thanks.

--


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL ?

2009-03-23 Thread John D. Vo 




Worked like a charm. 
Thanks.

-John

Alan Clegg wrote:

  John D. Vo wrote:
  
  
Greetings:

Trying to implement acl in my named.conf... for Bind 9.2.2

acl eagle { 192.168.1.0/24; localhost; };

But when I issued an reload, I got:

Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error]
/etc/named.conf:2: unknown option 'acl'
Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading
configuration failed: failure

  
  
Move the ACL out of the options { } stanza.

AlanC

  



-- 


Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell: (212) 200-3016

---




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL ?

2009-03-23 Thread Mark Andrews 

In message 49c79d6b.7060...@eagle.net, John D. Vo writes:
 Greetings:
 
 Trying to implement acl in my named.conf... for Bind 9.2.2
 
 acl eagle { 192.168.1.0/24; localhost; };
 
 But when I issued an reload, I got:
 
 Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] 
 /etc/named.conf:2: unknown option 'acl'
 Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading 
 configuration failed: failure

You have the acl in the wrong place in named.conf.  It should be
like:

acl {

};
options {

};

not

options {
acl { ... };
...
};

Mark
 
 
 Help?
 
 Thanks.
 
 -- 
 
 
 Best Regards,
 
 John D. Vo
 Eagle Teleconferencing Services, Inc.
 Network-System Administrator
 j...@eagle.net
 Office: (212) 200-2000 Ext. 105
 Cell: (212) 200-3016
 
 ---
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL ?

2009-03-23 Thread Chris Thompson 

On Mar 23 2009, John D. Vo wrote:


Trying to implement acl in my named.conf... for Bind 9.2.2

acl eagle { 192.168.1.0/24; localhost; };

But when I issued an reload, I got:

Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] 
/etc/named.conf:2: unknown option 'acl'
Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading 
configuration failed: failure


Well, you ought to have let us see what was in line 1 of /etc/named.conf,
but I guess you have put your ACL definition inside the options 
statement. It should be a separate statement.


A couple of points:

1. You can (and should) test a new named.conf for syntax errors in 
  advance by using the named-checkconf program.


2. BIND 9.2.2 is very very old. The whole of the 9.2.x series is EOL
  (and that was after 9.2.9). It's long past time that you upgraded.

--
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate ACL based on a key AND ip-subnet

2008-11-17 Thread Niall O'Reilly 
On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote:
 Use a firewall (with deep packet inspection) to restrict by subnet.  
 Then use the TSIG key in the allow-update statement.
 
 Unfortunately, to my knowledge, that's the only way to do this.

Wouldn't using a BIND view to restrict by subnet work instead
of a firewall?

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  1   2   >