Re: acl in also-nofify
Hi both. You can't do it using ACLs. But you can do it using primaries. This is hinted at in the section about the primaries statement, but not clearly expanded on. For example: # define a primaries list called "also-notifed" (or anything you like). Define as many lists as you need. primaries also-notified {a.b.c.d; e.f.g.h;}; ... zone "example.com { type primary; file "db.example.com"; # apply the primaries list (or lists) to the also-notify statement. also-notify {also-notified;}; }; I hope that helps. Cheers, Greg On Thu, 8 Feb 2024 at 21:55, Elmar K. Bins wrote: > Randy, > > ra...@psg.com (Randy Bush) wrote: > > > can i use an acl{} or other macro in `also-notify`? i have a bunch of > > zones where i want the same `also-notify` list. > > Been running into the same issue and tried to find out. My master lists > and acls > are identical as yours seem to be. I've been told that internally they are > very > different and handled differently, so I had to duplicate my work (yes, > they're > copy+paste for me) :-( > > Best, > Elmar. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acl in also-nofify
Randy, ra...@psg.com (Randy Bush) wrote: > can i use an acl{} or other macro in `also-notify`? i have a bunch of > zones where i want the same `also-notify` list. Been running into the same issue and tried to find out. My master lists and acls are identical as yours seem to be. I've been told that internally they are very different and handled differently, so I had to duplicate my work (yes, they're copy+paste for me) :-( Best, Elmar. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
acl in also-nofify
have spent a bit searching but no result. so ... can i use an acl{} or other macro in `also-notify`? i have a bunch of zones where i want the same `also-notify` list. thanks randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acl type construct for update-policy
On 11/10/2021 6:25 AM, Giddings, Bret wrote: Is there any other facility for including effectively the same grant statements within multiple zones? I am not aware of any -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
acl type construct for update-policy
Hello, I want to use the same update-policy grant statements multiple times in different zones and would therefore prefer to use something like an ACL. It doesn’t appear to be the case that you can create something like acl “FOO” { grant EXAMPLE.COM krb5-self . A ; grant * tcp-self . PTR(1); }; Then use it in your zone zone EXAMPLE.COM { …. update-policy { FOO; }; … }; Nor can you use an ‘include’ within the zone statement to include the relevant ‘grant’ statements from an external file. Is there any other facility for including effectively the same grant statements within multiple zones? Many thanks, Bret ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
FTR The PROXY protocol is on the todo list, but the demand hasn’t been great so it’s more in the “patches accepted” area then something that’s just around the corner… -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 2. 9. 2021, at 20:27, Ryan McGuire > wrote: > > Thank you, in my searching I failed to come across that. > > Do you know if it's been replaced by something more "practical to deploy"? I > found some discussion regarding support for "The PROXY Protocol" > (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) but I don't > believe it's planned. This seems like such a common scenario, I'm surprised > the support that was there was removed but not replaced by anything. I > suppose it is open-source software and I'm free to port it into 9.16, but > this isn't a big enough problem for me personally to justify the time spent. > > -Ryan > > On 9/2/21 2:16 PM, Evan Hunt wrote: >>> I did compile 9.16.20 from source since the latest in Debian repos is >>> 9.16.15 but the result is the same. The doc snippet in my original email >>> was from 9.11 docs -- could this feature not have been brought forward >>> into 9.16 at all? The only related documented removed feature is >>> geoip-use-ecs. >> It was actually removed in 9.14: >> >> 4952. [func] Authoritative server support in named for the >> EDNS CLIENT-SUBNET option (which was experimental >> and not practical to deploy) has been removed. >> >> The ECS option is still supported in dig and mdig >> via the +subnet option, and can be parsed and logged >> when received by named, but it is no longer used >> for ACL processing. The "geoip-use-ecs" option >> is now obsolete; a warning will be logged if it is >> used in named.conf. "ecs" tags in an ACL definition >> are also obsolete and will cause the configuration >> to fail to load. [GL #32] >> >> Sorry about the inadequate documentation. There's a mechanism for flagging >> obsolete options in named.conf and logging a useful message about them, but >> it's not so straightforward when the option is still valid but the >> parameters have changed. >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
In this case I use dnsdist (by PowerDNS) for load balancing and failover -- requests are balanced between my internal bind9 servers, and if they are all down queries go to public DNS directly to avoid a total outage. The challenge here is that the source IP for all requests is now coming from dnsdist. They have an article here: https://dnsdist.org/advanced/passing-source-address.html that mentions the functionality supported in dnsdist, but there is no overlap with bind9 -- well, there was apparently up to 9.14, but it's since been removed. Bind is still able to parse (and present) the ECS to you, that works great, but the plumbing into the acl is what is needed to serve up a separate view by source client. Being realistic, this is not a large deployment, if it's an edge case then it is surely not worth anyone's time to add support back in. Thank you again for the replies. -Ryan On 9/2/21 2:42 PM, Evan Hunt wrote: On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote: Thank you, in my searching I failed to come across that. Do you know if it's been replaced by something more "practical to deploy"? I found some discussion regarding support for "The PROXY Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) but I don't believe it's planned. This seems like such a common scenario, I'm surprised the support that was there was removed but not replaced by anything. I suppose it is open-source software and I'm free to port it into 9.16, but this isn't a big enough problem for me personally to justify the time spent. We do have support for recursive ECS processing in the special-sauce version of BIND we charge money for, but there hasn't been enough demand for support on the authoritiatve side to make it worth the development effort so far. But I would encourage you to put in a feature request with details about your use case, and we'll consider it in the future. Unfortunately, the older auth support was terribly space-inefficient, and also didn't comply with the RFC, so it kind of had to go. I'm not sure which of the open-source auth servers currently have ECS support. PowerDNS maybe? And a quick google search just suggested one called gdnsd, which I hadn't heard of before. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote: > Thank you, in my searching I failed to come across that. > > Do you know if it's been replaced by something more "practical to > deploy"? I found some discussion regarding support for "The PROXY > Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) > but I don't believe it's planned. This seems like such a common > scenario, I'm surprised the support that was there was removed but not > replaced by anything. I suppose it is open-source software and I'm free > to port it into 9.16, but this isn't a big enough problem for me > personally to justify the time spent. We do have support for recursive ECS processing in the special-sauce version of BIND we charge money for, but there hasn't been enough demand for support on the authoritiatve side to make it worth the development effort so far. But I would encourage you to put in a feature request with details about your use case, and we'll consider it in the future. Unfortunately, the older auth support was terribly space-inefficient, and also didn't comply with the RFC, so it kind of had to go. I'm not sure which of the open-source auth servers currently have ECS support. PowerDNS maybe? And a quick google search just suggested one called gdnsd, which I hadn't heard of before. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
Thank you, in my searching I failed to come across that. Do you know if it's been replaced by something more "practical to deploy"? I found some discussion regarding support for "The PROXY Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) but I don't believe it's planned. This seems like such a common scenario, I'm surprised the support that was there was removed but not replaced by anything. I suppose it is open-source software and I'm free to port it into 9.16, but this isn't a big enough problem for me personally to justify the time spent. -Ryan On 9/2/21 2:16 PM, Evan Hunt wrote: I did compile 9.16.20 from source since the latest in Debian repos is 9.16.15 but the result is the same. The doc snippet in my original email was from 9.11 docs -- could this feature not have been brought forward into 9.16 at all? The only related documented removed feature is geoip-use-ecs. It was actually removed in 9.14: 4952. [func] Authoritative server support in named for the EDNS CLIENT-SUBNET option (which was experimental and not practical to deploy) has been removed. The ECS option is still supported in dig and mdig via the +subnet option, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The "geoip-use-ecs" option is now obsolete; a warning will be logged if it is used in named.conf. "ecs" tags in an ACL definition are also obsolete and will cause the configuration to fail to load. [GL #32] Sorry about the inadequate documentation. There's a mechanism for flagging obsolete options in named.conf and logging a useful message about them, but it's not so straightforward when the option is still valid but the parameters have changed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
> I did compile 9.16.20 from source since the latest in Debian repos is > 9.16.15 but the result is the same. The doc snippet in my original email > was from 9.11 docs -- could this feature not have been brought forward > into 9.16 at all? The only related documented removed feature is > geoip-use-ecs. It was actually removed in 9.14: 4952. [func] Authoritative server support in named for the EDNS CLIENT-SUBNET option (which was experimental and not practical to deploy) has been removed. The ECS option is still supported in dig and mdig via the +subnet option, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The "geoip-use-ecs" option is now obsolete; a warning will be logged if it is used in named.conf. "ecs" tags in an ACL definition are also obsolete and will cause the configuration to fail to load. [GL #32] Sorry about the inadequate documentation. There's a mechanism for flagging obsolete options in named.conf and logging a useful message about them, but it's not so straightforward when the option is still valid but the parameters have changed. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syntax for ECS ACL Entry
I did compile 9.16.20 from source since the latest in Debian repos is 9.16.15 but the result is the same. The doc snippet in my original email was from 9.11 docs -- could this feature not have been brought forward into 9.16 at all? The only related documented removed feature is geoip-use-ecs. -Ryan On 9/2/21 10:06 AM, Ryan McGuire wrote: I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a view. The views are working well, and the ECS is read by bind9 (see log below), but I can't seem to find a syntax for adding an ecs entry into an acl. Here is what I've tried: acl "filtered" { 192.168.0.90; 192.168.0.91; 192.168.0.92; 192.168.0.93; * ecs 192.168.99.0/24;* }; view filtered-view { match-clients { filtered; }; {...} When I try to start bind with this config, I get the following error: /etc/bind/named.conf.local:6: missing ';' before '192.168.99.0' Everything works as it should if I remove the ecs entry from the acl. I can see the ECS is being set by dnsdist when I enable query logging: client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5) *[ECS 192.168.99.0/24/0]* From the docs*:* "An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address."* * I am running bind9 version 9.16.15. Regards, Ryan McGuire p. 260.202.0500 m. 978.501.3620 f. 260.202.0420 w. www.libretechconsulting.com <https://libretechconsulting.com> Libre Tech Consulting <https://libretechconsulting.com> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Syntax for ECS ACL Entry
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a view. The views are working well, and the ECS is read by bind9 (see log below), but I can't seem to find a syntax for adding an ecs entry into an acl. Here is what I've tried: acl "filtered" { 192.168.0.90; 192.168.0.91; 192.168.0.92; 192.168.0.93; * ecs 192.168.99.0/24;* }; view filtered-view { match-clients { filtered; }; {...} When I try to start bind with this config, I get the following error: /etc/bind/named.conf.local:6: missing ';' before '192.168.99.0' Everything works as it should if I remove the ecs entry from the acl. I can see the ECS is being set by dnsdist when I enable query logging: client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5) *[ECS 192.168.99.0/24/0]* From the docs*:* "An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address."* * I am running bind9 version 9.16.15. Regards, Ryan McGuire p. 260.202.0500 m. 978.501.3620 f. 260.202.0420 w. www.libretechconsulting.com <https://libretechconsulting.com> Libre Tech Consulting <https://libretechconsulting.com> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP ACL
On Sun, Apr 25, 2021 at 01:47:31PM +0530, Sachchidanand Upadhyay via bind-users wrote: > I am using geoip based ACL to restrict traffic. Now I want to allow all > country traffic except two or three, like i want to allow all traffic > except country A, B and C. > > Can anyone give an example to achieve the same? match-clients { !geoip country A; !geoip country B; !geoip country C; any; }; -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GeoIP ACL
Hi, I am using geoip based ACL to restrict traffic. Now I want to allow all country traffic except two or three, like i want to allow all traffic except country A, B and C. Can anyone give an example to achieve the same? BR, Sachchidanand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does bind9 support adding acl and view through commands, not by updating config file?
On Thu, Apr 15, 2021 at 03:35:38PM +0800, Zhengyu Pan wrote: > I want to implement intelligent DNS through bind9. I need to add a custom > line(IP address ranges) to bind9 using acl and view when add a user. > Because when add a tenant, i need to define a new acl and view. I don't > want to update named.conf config file frequently. > > Does bind9 support adding acl and view through commands or API, not by > updating config file? > > like the command "rndc addacl" or "rndc addview". No, and I wouldn't recommend doing this via "reconfig" either. Views don't scale well. Finding the correct view for a query is a linear search, so your performance will decline quite badly if you have more than a few views to search through. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?
>do you mean, the same domains with different content, depending on clients' >IPs? That's common multiple-view setup >(nothing special or intelligent). Yes, I will create a view and acl for every client. Because every client has the unique IP address. >Why? Do you have that many clients constantly with changing IPs? > >Maybe they could use local DNS server talking to your DNS server using TSIG, >and instead of IPs you'd define TSIG keys. My client vm directly connect the dns server. There are no local servers on the road. Different client may create the same domain. So I must use IP to limit who use which view. client view can't use TSIG key. >I'm afraid for now there's no way to make this via rndc. >You'll have to generate named config per-client. I wan to know whether per-client can have own confile file that contains view and acl. Not put view and acl in named.conf. >>Updating config file frequently may affect other zones in this dns server. > >I don't understand how/why it should affect other zones. Yes, updating config file don't affect other zones. -- Thanks. Zhengyu At 2021-04-15 23:28:15, "Matus UHLAR - fantomas" wrote: >On 15.04.21 20:53, Zhengyu Pan wrote: >>The "intelligent" means that dns server return the corresponding A record IP >>address according to the source IP address of the tenants. >>My dns server is an Authoritative dns server. It hosts the zones of different >>tenants. > >do you mean, the same domains with different content, depending on clients' >IPs? That's common multiple-view setup >(nothing special or intelligent). > >>I need to update config file name.conf frequently Because The views and ACLS >>are added frequently. > >Why? Do you have that many clients constantly with changing IPs? > >Maybe they could use local DNS server talking to your DNS server using TSIG, >and instead of IPs you'd define TSIG keys. > >>So i want to know whether have commands or API to add acl and view like the >>command "rndc addacl" or "rndc addview"? > >I'm afraid for now there's no way to make this via rndc. >You'll have to generate named config per-client. > >>Updating config file frequently may affect other zones in this dns server. > >I don't understand how/why it should affect other zones. > > > >>At 2021-04-15 15:08:26, "Matus UHLAR - fantomas" wrote: >>>On 15.04.21 15:35, Zhengyu Pan wrote: >>>>I want to implement intelligent DNS through bind9. >>> >>>>I need to add a custom line(IP address ranges) to bind9 using acl and view >>>> when add a user. Because when add a tenant, i need to define a new acl >>>> and view. I don't want to update named.conf config file frequently. >>> >>>what is supposed to be intelligent there? >>> >>>I mean, why? are you going to provide recursive service to someone who pays >>>for that? >>> >>>> Does bind9 support adding acl and view through commands or API, not by >>>> updating config file? >>>> like the command "rndc addacl" or "rndc addview". >>> >>>I don't think so, looks a bit too complicated. > > >-- >Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >- Have you got anything without Spam in it? >- Well, there's Spam egg sausage and Spam, that's not got much Spam in it. >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >ISC funds the development of this software with paid support subscriptions. >Contact us at https://www.isc.org/contact/ for more information. > > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?
On 15.04.21 20:53, Zhengyu Pan wrote: The "intelligent" means that dns server return the corresponding A record IP address according to the source IP address of the tenants. My dns server is an Authoritative dns server. It hosts the zones of different tenants. do you mean, the same domains with different content, depending on clients' IPs? That's common multiple-view setup (nothing special or intelligent). I need to update config file name.conf frequently Because The views and ACLS are added frequently. Why? Do you have that many clients constantly with changing IPs? Maybe they could use local DNS server talking to your DNS server using TSIG, and instead of IPs you'd define TSIG keys. So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"? I'm afraid for now there's no way to make this via rndc. You'll have to generate named config per-client. Updating config file frequently may affect other zones in this dns server. I don't understand how/why it should affect other zones. At 2021-04-15 15:08:26, "Matus UHLAR - fantomas" wrote: On 15.04.21 15:35, Zhengyu Pan wrote: I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file frequently. what is supposed to be intelligent there? I mean, why? are you going to provide recursive service to someone who pays for that? Does bind9 support adding acl and view through commands or API, not by updating config file? like the command "rndc addacl" or "rndc addview". I don't think so, looks a bit too complicated. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:Re: Does bind9 support adding acl and view through commands, not by updating config file?
The "intelligent" means that dns server return the corresponding A record IP address according to the source IP address of the tenants. My dns server is an Authoritative dns server. It hosts the zones of different tenants. I need to update config file name.conf frequently Because The views and ACLS are added frequently. So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"? Updating config file frequently may affect other zones in this dns server. At 2021-04-15 15:08:26, "Matus UHLAR - fantomas" wrote: >On 15.04.21 15:35, Zhengyu Pan wrote: >>I want to implement intelligent DNS through bind9. > >>I need to add a custom line(IP address ranges) to bind9 using acl and view >> when add a user. Because when add a tenant, i need to define a new acl >> and view. I don't want to update named.conf config file frequently. > >what is supposed to be intelligent there? > >I mean, why? are you going to provide recursive service to someone who pays >for that? > >> Does bind9 support adding acl and view through commands or API, not by >> updating config file? >> like the command "rndc addacl" or "rndc addview". > >I don't think so, looks a bit too complicated. > >-- >Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >Save the whales. Collect the whole set. >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >ISC funds the development of this software with paid support subscriptions. >Contact us at https://www.isc.org/contact/ for more information. > > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does bind9 support adding acl and view through commands, not by updating config file?
On 15.04.21 15:35, Zhengyu Pan wrote: I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file frequently. what is supposed to be intelligent there? I mean, why? are you going to provide recursive service to someone who pays for that? Does bind9 support adding acl and view through commands or API, not by updating config file? like the command "rndc addacl" or "rndc addview". I don't think so, looks a bit too complicated. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Does bind9 support adding acl and view through commands, not by updating config file?
Hi, I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file frequently. Does bind9 support adding acl and view through commands or API, not by updating config file? like the command "rndc addacl" or "rndc addview". Thanks Zhengyu -- Thanks! Zhengyu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11 question (ACL ecs )
You use the "ecs" key word like this. acl example { ecs 10.0.0.0/8; }; view ecs-net-10-only { match-clients { example; }; }; Also using colour or fonts is not a good way to highlight what the issue is. Not everyone reads email on a display which supports different colours or fonts. Also acls are *first* *match* so match-clients { area02; ecs-area02; !{!ecs-area02; any; }; key Area02.mydomain.idv.; }; and match-clients { area02; ecs-area02; }; are the *same* as all "ecs-area02;" addresses have already been matched by the time you get to looking at "!{!ecs-area02; any; };". Bob, !{!ecs-area01; any; }; is reject anything which isn't in ecs-area01. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11 question (ACL ecs )
On Tue, Oct 25, 2016 at 2:04 AM, <hsulip...@itri.org.tw> wrote: > From 9.1 ARM chapter 7 that mention > > The EDNS Client Subnet (ECS) option is used by a recursive resolver to > inform an authoritative > name server of the network address block from which the original query was > received, enabling > authoritative servers to give different answers to the same resolver for > different resolver clients. > > > > *An ACL containing an element of the form ecs prefix will match if a > request arrives in containing* > *an ECS option encoding an address within that prefix. If the request has > no ECS option,* > *then "ecs" elements are simply ignored*. Addresses in ACLs that are not > prefixed with "ecs" are > matched only against the source address. > > > > Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my > allow-query entry but when i use dig > > test (not include +subnet) it not response but when i remvoe that ecs > keyword every thing was OK. > > > > I was use bind 9.11 setup three dns server one for mydomain.idv and two > are sub.mydomain.idv. > > my sub.mydomain.idv has multi view but has same zone. > > when i use dig query sub.mydomain.idv entry it always return last match > view, it will not reponse by client subnet > > following was my partial named.conf content > > > > sub.mydomain.idv (Primary server -ip:a.b.c.d) > = > > acl "slave-ips" { a.b.c.d; }; > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"; > include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; > include "d:\isc bind 9\etc\KeyFiles.txt"; > include "d:\isc bind 9\etc\logging.conf"; > > options { > directory "d:\isc bind 9\var\named"; > allow-update {none;}; > notify explicit; > allow-transfer { none; }; > allow-query { none; }; > }; > > // End Options > > view "area01" { > match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key > Area01.mydomain.idv.;}; > zone "sub.mydomain.idv" in { > type master; > allow-query { area01; ecs-area01; }; > file "sub/area01.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area01.mydomain.idv.; }; > allow-transfer { key Area01.mydomain.idv.; }; > }; > }; // End View > > view "area02" { > match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key > Area02.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area02; ecs-area02; }; > file "sub/area02.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area02.mydomain.idv.; }; > allow-transfer { key Area02.mydomain.idv.; }; > }; > }; // End View > > view "area03" { > match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key > Area03.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area03; ecs-area03; }; > file "sub/area03.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area03.mydomain.idv.;}; > allow-transfer { key Area03.mydomain.idv.; }; > }; > }; // End View > > view "deafult" { // Default > match-clients {any; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { any; }; > file "sub/default.mydomain.idv.txt"; > also-notify { a.b.c1.d key Default.mydomain.idv.;}; > allow-transfer { key Default.mydomain.idv.; }; > }; > }; // End View > > sub.mydomain.idv (Slave server -ip:a.b.c1.d) > = > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"
Bind 9.11 question (ACL ecs )
From 9.1 ARM chapter 7 that mention The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform an authoritative name server of the network address block from which the original query was received, enabling authoritative servers to give different answers to the same resolver for different resolver clients. An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address. Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my allow-query entry but when i use dig test (not include +subnet) it not response but when i remvoe that ecs keyword every thing was OK. I was use bind 9.11 setup three dns server one for mydomain.idv and two are sub.mydomain.idv. my sub.mydomain.idv has multi view but has same zone. when i use dig query sub.mydomain.idv entry it always return last match view, it will not reponse by client subnet following was my partial named.conf content sub.mydomain.idv (Primary server -ip:a.b.c.d) ========= acl "slave-ips" { a.b.c.d; }; server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type master; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.txt"; also-notify { a.b.c1.d key Area01.mydomain.idv.; }; allow-transfer { key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.txt"; also-notify { a.b.c1.d key Area02.mydomain.idv.; }; allow-transfer { key Area02.mydomain.idv.; }; }; }; // End View view "area03" { match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area03; ecs-area03; }; file "sub/area03.mydomain.idv.txt"; also-notify { a.b.c1.d key Area03.mydomain.idv.;}; allow-transfer { key Area03.mydomain.idv.; }; }; }; // End View view "deafult" { // Default match-clients {any; }; zone "sub.mydomain.idv" in { type master; allow-query { any; }; file "sub/default.mydomain.idv.txt"; also-notify { a.b.c1.d key Default.mydomain.idv.;}; allow-transfer { key Default.mydomain.idv.; }; }; }; // End View sub.mydomain.idv (Slave server -ip:a.b.c1.d) = server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.ca"; masters { a.b.c.d key Area01.mydomain.idv.; }; }; }; // End View view "area0
Re: acl
On 8 October 2016 at 09:57, Pol Hallen <bin...@fuckaround.org> wrote: > 192.168.1/24 is not a valid netmask >> > > huh? > In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) > and so on... You're confusing network configuration with ACL syntax. Where you're using 192.168.1.50/24 in your OS configuration, what you're really saying is 192.168.1.50 netmask 255.255.255.0. When you use it in an ACL, you're saying "the entire /24 that contains 192.168.1.50" > hint: using /24 everywhere is nonsense >> > > why? > > My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host) > > thanks > > Pol It sounds like what you want is to permit 192.168.1.0/24 and deny 192.168.1.50/32. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. sure! :-) thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: defines ip to acl
And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. - Kevin -Original Message- From: Darcy Kevin (FCA) Sent: Monday, October 17, 2016 3:11 PM To: bind-users@lists.isc.org Subject: RE: defines ip to acl Well, things are messy, because you haven't carved up your subnet on bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or some combination of these. It can be done: 192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; 192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; I might have made an error in the above -- did I mention that this is very error-prone as well? :-) - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol Hallen Sent: Monday, October 17, 2016 2:37 PM To: bind-users@lists.isc.org Subject: defines ip to acl Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } thanks guys :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: defines ip to acl
Well, things are messy, because you haven't carved up your subnet on bit-boundaries. BIND ACLs are either individual IPs, CIDR blocks, negations, or some combination of these. It can be done: 192.168.1.1 through 192.168.1.99 = !192.168.1.0; 192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; 192.168.1.100 through 192.168.1.199 = 192.168.1.100/30; 192.168.1.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; I might have made an error in the above -- did I mention that this is very error-prone as well? :-) - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol Hallen Sent: Monday, October 17, 2016 2:37 PM To: bind-users@lists.isc.org Subject: defines ip to acl Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I think you want: acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; } acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 192.168.1.192/29; } On 2016-10-17, 13:41, "bind-users on behalf of Pol Hallen" <bind-users-boun...@lists.isc.org on behalf of bin...@fuckaround.org> wrote: Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
defines ip to acl
Hello all :-) I need to setup 2 kind of acl on same network, ie: ip from 192.168.1.1 to 192.168.1.99 belongs to acl1 and ip from 192.168.1.100 to 192.168.1.199 to acl2 acl net1 { 192.168.1.1-99/24 }; acl net1 { 192.168.1.99-199/24 }; what's the correct way? I didn't find nothing :-/ thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL
I think what you are looking for is: acl test0 { !192.168.1.50/32; 192.168.1.0/24; }; http://jodies.de/ipcalc is a good resource for checking. (As was mentioned by Reindl...) Learning basic sub-netting of IP addresses (Both IPv4 and IPv6) takes time but it's necessary for DNS configuration. There's plenty of other resources out there. (Try googling sub-netting with or without the hyphen) Hope that helps, Bob > Message: 1 > Date: Sat, 8 Oct 2016 15:14:36 +0200 > From: Pol Hallen <bin...@fuckaround.org> > To: Bind Users <bind-users@lists.isc.org> > Subject: acl > Message-ID: <fb1d9827-71ee-ff59-4d2c-9262c8cd9...@fuckaround.org> > Content-Type: text/plain; charset=utf-8; format=flowed > > Hi all :-) > > can someone advice me about a fully howto / handbook to understand ACL? > > I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host: > > acl test0 { !192.168.1.50/24; 192.168.1/24;}; > > thanks for help! > > Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acl
On 8 October 2016 at 14:14, Pol Hallen <bin...@fuckaround.org> wrote: > acl test0 { !192.168.1.50/24; 192.168.1/24;}; acl test0 { !192.168.1.50; 192.168.1.0/24;}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acl
192.168.1/24 is not a valid netmask huh? In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) and so on... hint: using /24 everywhere is nonsense why? My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host) thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: acl
Am 08.10.2016 um 15:14 schrieb Pol Hallen: Hi all :-) can someone advice me about a fully howto / handbook to understand ACL? I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host: acl test0 { !192.168.1.50/24; 192.168.1/24;}; 192.168.1/24 is not a valid netmask 192.168.1.0/24 -> 192.168.1.1 - 192.168.1.254 192.168.1.50/24 is not a valid netmask 192.168.1.0/24 -> 192.168.1.1 - 192.168.1.254 honestly go to http://jodies.de/ipcalc and test what your proposed netmasks are doing hint: using /24 everywhere is nonsense and what you are trying here (if it's accepted at all) is do allow and deny the actly same range by lack of understanding how network masks are working ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
acl
Hi all :-) can someone advice me about a fully howto / handbook to understand ACL? I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host: acl test0 { !192.168.1.50/24; 192.168.1/24;}; thanks for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload only ACL
On Tue, Apr 26, 2016 at 10:22 AM, Ali Jawad <alijaw...@gmail.com> wrote: > Hi Bob > I did have a look at > http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , > and while in theory it can be used in a way similar to ACL I cant see how > it accommodates for faster changes, would you please elaborate ? > You are correct, my mistake. Looks like you can only block the client completely, and not change just one answer for the client, so that will not work for you. -- Bob Harold > On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rharo...@umich.edu> wrote: > >> >> On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA512 >>> >>> On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote: >>> > based on a user tool the users "hundreds in corporate environment" get >>> > either public or private zone, >>> >>> Rather than the tool writing an ACL for bind, can the tool instead >>> reconfigure the user's local workstation dns settings to point to one of >>> two different (sets of) bind servers? One serves the public zone, one >>> serves the private zone. >>> >>> >>> >> You might be able to use RPZ to give a list of users a different answer >> for certain queries, and that can be dynamically updated quickly, if I >> understand it correctly. That might work better than ACLs and views for a >> fast-changing list of users. >> >> -- >> Bob Harold >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload only ACL
Hi Bob I did have a look at http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , and while in theory it can be used in a way similar to ACL I cant see how it accommodates for faster changes, would you please elaborate ? On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold <rharo...@umich.edu> wrote: > > On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote: >> > based on a user tool the users "hundreds in corporate environment" get >> > either public or private zone, >> >> Rather than the tool writing an ACL for bind, can the tool instead >> reconfigure the user's local workstation dns settings to point to one of >> two different (sets of) bind servers? One serves the public zone, one >> serves the private zone. >> >> >> > You might be able to use RPZ to give a list of users a different answer > for certain queries, and that can be dynamically updated quickly, if I > understand it correctly. That might work better than ACLs and views for a > fast-changing list of users. > > -- > Bob Harold > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload only ACL
On Mon, Apr 25, 2016 at 5:30 PM, Carl Byington <c...@byington.org> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote: > > based on a user tool the users "hundreds in corporate environment" get > > either public or private zone, > > Rather than the tool writing an ACL for bind, can the tool instead > reconfigure the user's local workstation dns settings to point to one of > two different (sets of) bind servers? One serves the public zone, one > serves the private zone. > > > You might be able to use RPZ to give a list of users a different answer for certain queries, and that can be dynamically updated quickly, if I understand it correctly. That might work better than ACLs and views for a fast-changing list of users. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload only ACL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote: > based on a user tool the users "hundreds in corporate environment" get > either public or private zone, Rather than the tool writing an ACL for bind, can the tool instead reconfigure the user's local workstation dns settings to point to one of two different (sets of) bind servers? One serves the public zone, one serves the private zone. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlcejGIACgkQL6j7milTFsFGxQCeLAh24G0V0Q/TqxhJCpJo9urj n3wAn3ZaYI0s6ubAuBNHISoNsVLmdbS4 =xrrO -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reload only ACL
On 25/04/16 22:23, Ali Jawad wrote: Hi Ali Jawad, > I do have a very specific requirement for private/public zones and based on > a user tool the users "hundreds in corporate environment" get either public > or private zone, the tool simply writes to an ACL file, my problem is that > the only way I found that does not flush the cache of the server and > reloads the ACL is rndc reconfig, but that appears to stall the server for > new queries "tested with dig" for a few moments, and given I have a change > of ACL from a user every a few times per minute it is not very viable. Is > there an alternative to doing this ? and/or a way to have BIND load the ACL > dynamically ? I'm not aware of any way to look up ACLs dynamically. However, a configuration that involves reconfiguring BIND several times a minute seems like a bad design. Can't you have pre-defined address ranges of public or private zones, and just pre-configure these in BIND once? Sometimes it helps to rethink your design. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reload only ACL
Hi I do have a very specific requirement for private/public zones and based on a user tool the users "hundreds in corporate environment" get either public or private zone, the tool simply writes to an ACL file, my problem is that the only way I found that does not flush the cache of the server and reloads the ACL is rndc reconfig, but that appears to stall the server for new queries "tested with dig" for a few moments, and given I have a change of ACL from a user every a few times per minute it is not very viable. Is there an alternative to doing this ? and/or a way to have BIND load the ACL dynamically ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Database driven ACL
On Mon, Feb 29, 2016 at 04:11:03PM -0500, Alan Clegg wrote: > Would also be cool to have a meta-zone or type (overlay similar to RPZ > perhaps?) that could be used to configure DNS options. > > Then your existing DNS tools could act as your management interface. Stay tuned for 9.11, which will have an implementation of something like https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones-00. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Database driven ACL
On 2/29/16, 4:04 PM, "/dev/rob0"wrote: >On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote: >> Is there a mature/tested method of loading ACLs through a DB query >> instead of editing the config file or reading/writing into a text >> file ? > >I like this idea. I'd further suggest using either: > 1. An abstraction layer such that any DB backend might be used; or > 2. sqlite3 Would also be cool to have a meta-zone or type (overlay similar to RPZ perhaps?) that could be used to configure DNS options. Then your existing DNS tools could act as your management interface. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Database driven ACL
Hi Is there a mature/tested method of loading ACLs through a DB query instead of editing the config file or reading/writing into a text file ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Negation in view match-clients ACL doesn't work?
On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: The short answer is that that is how address-match-lists work: a non-negated match allows access, a negated match denies access, and if there is *no* match, access is denied. The only real reason to use a negated match, therefore, is when what you're negating is a subset of something later in the address-match-list. You do realize, I hope, that you could just change the order of the views and then you wouldn't need any form of negation (earlier one matches 127.0.0.1, later one matches any). - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN Sent: Tuesday, August 04, 2015 4:19 PM To: bind-users@lists.isc.org Subject: Negation in view match-clients ACL doesn't work? Folks, This has been a real mystery and haven't been able to find a good explanation for the behavior. For a simple example I have two views setup and I want to differentiate access based on queries originating from 127.0.0.1. In my FIRST ATTEMPT I just negated the IP address, but that didn't work. The first view never matched. In the SECOND ATTEMPT I simply added any AFTER the negation and that worked? I read the ARM, can someone explain? Many Thanks! FIRST ATTEMPT: Fails - no clients can see external_zones. view default-test { match-clients { ! 127.0.0.1; }; // thought this would match anyone but 127.0.0.1 zone . { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0.0; }; include external_zones.txt; }; view default { match-clients { any; }; zone . { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0.0; }; include internal_zones.txt; }; SECOND ATTEMPT: Succeeds, only external clients can see external_zones. view default-test { match-clients { ! 127.0.0.1; any; }; // Why must I add any? .. Although it's dealing with a different question, this KB article might help a bit with understanding ACLs: https://kb.isc.org/article/AA-00723 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic ACL
Hi I am running BIND 9.10 and I have looked through various options including DLZ and RPZ but I am still not sure if they can do what I need or if i need to look at something different. Here is my scenario and I would appreciate if you could advice me. - I do have 6 different Geo ACLs and a default ACL - Each ACL has its own zone file , users get served based on Geo location. If the users are not part of any geo location they are served the default ACL and zone files. - For a few hundred users I want to asign their IPs to specific Geo locations even if they do not belong to those locations. I want to do this on the fly without having to edit zone files and if possible without having to reload BIND. I want to keep it as dynamic as possible. Any input please ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic ACL
Hi Barry I would rather not do that through editing text files unless it is the last option. I want this dynamic and scalable . Down the road users will have option to change their view as such simultaneous read/write might happen Regards On Apr 8, 2015 4:42 PM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.1908.1428494842.26362.bind-us...@lists.isc.org, Ali Jawad alijaw...@gmail.com wrote: Hi I am running BIND 9.10 and I have looked through various options including DLZ and RPZ but I am still not sure if they can do what I need or if i need to look at something different. Here is my scenario and I would appreciate if you could advice me. - I do have 6 different Geo ACLs and a default ACL - Each ACL has its own zone file , users get served based on Geo location. If the users are not part of any geo location they are served the default ACL and zone files. - For a few hundred users I want to asign their IPs to specific Geo locations even if they do not belong to those locations. I want to do this on the fly without having to edit zone files and if possible without having to reload BIND. I want to keep it as dynamic as possible. Any input please ? Regards Sounds like you should be able to do this all with views. When you reassign an IP, you edit named.conf to change the match-address clause, and use rndc reconfig to load the new named.conf file. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamic update of split view acl
Hi Matt, in my understanding, rndc reload zone in view reloads the zone file only, not the configuration where the matched-clients { } statement is listed. So, you'll have to run a full config reload if you change the matched-clients { } list. I just wonder why you want to move a client's ip from one view to the other? Cheers, Robert Am Samstag, den 28.02.2015, 04:27 -0800 schrieb Matt Calder: .57.0.0/24 is still matched by view1. Is there any way to accomplish this? -- Robert Senger robert.sen...@microscopium.de PGP/GPG Public Key ID: 24E78B5E signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamic update of split view acl
I'm running BIND 9.9.5-3 on Ubuntu 14.04.1. I'm trying to figure out how to change the match-clients prefixes in a view without having to restart BIND or do full config reload. My actual BIND config has many views and restarts can take several minutes. Here is my simple test set up. *view view1 {match-clients { 204.57.0.0/24 http://204.57.0.0/24; 204.57.5.0/24 http://204.57.5.0/24; };zone domaintest.com http://domaintest.com/ in {type master; file /etc/bind/view1.zone;};};view view2 {match-clients { 216.55.18.0/24 http://216.55.18.0/24; };zone domaintest.com http://domaintest.com/ in {type master;file /etc/bind/view2.zone;};};* Say I move 204.57.0.0/24 from view1 to view2, my hope was that I could simply do *$ rndc reload domaintest.com http://domaintest.com/ in view1$ rndc reload domaintest.com http://domaintest.com/ in view2* and match-clients would also be updated but this doesn’t work. I increment the serial of view1.zone and view2.zone, but 204.57.0.0/24 is still matched by view1. Is there any way to accomplish this? Thanks, Matt ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamic update of split view acl
On Sat, Feb 28, 2015 at 04:27:36AM -0800, Matt Calder wrote: I'm running BIND 9.9.5-3 on Ubuntu 14.04.1. I'm trying to figure out how to change the match-clients prefixes in a view without having to restart BIND or do full config reload. My actual BIND config has many views and restarts can take several minutes. Did you try rndc reconfig? That might be a bit faster because it doesn't reload zones. Here is my simple test set up. Unfortunately HTMLified by your MUA. *view view1 {match-clients { 204.57.0.0/24 http://204.57.0.0/24; 204.57.5.0/24 http://204.57.5.0/24; };zone domaintest.com http://domaintest.com/ in {type master; file /etc/bind/view1.zone;};};view view2 {match-clients { 216.55.18.0/24 http://216.55.18.0/24; };zone domaintest.com http://domaintest.com/ in {type master;file /etc/bind/view2.zone;};};* I'd recommend using acl statements: #v+ # here I am naming each component network # (use names that make sense to you) acl net-57-0 { 204.57.0.0/24; }; acl net-57-5 { 204.57.5.0/24; }; acl net-216-55-18 { 216.55.18.0/24; }; # and then I build the composite networks per view acl view1 { net-57-0; net-57-5; }; acl view2 { net-216-55-18; }; # That done, use the composites as match-clients: view view1 { match-clients { view1; }; ... (other view stuff) ... }; view view2 { match-clients { view2; }; ... (other view stuff) ... }; #v- Say I move 204.57.0.0/24 from view1 to view2, my hope was that I could simply do *$ rndc reload domaintest.com http://domaintest.com/ in view1 $ rndc reload domaintest.com http://domaintest.com/ in view2* and match-clients would also be updated but this doesn’t work. I increment the serial of view1.zone and view2.zone, but 204.57.0.0/24 is still matched by view1. Is there any way to accomplish this? Right. So you redo your acl statements and do rndc reconfig. The acls are simply there to make it easier to manage. The real answer is reconfig. That will work even without acls. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dynamic update of split view acl
Hi Robert, Thanks for the reply. I also should have mentioned that this is for an authoritative DNS setup. I'm evaluating different DNS options to support CDN-like testbed where, due to Internet path changes/outages, I would ideally like the ability to rapidly change where particular clients are directed. Appreciate any additional suggestions! Thanks, Matt On Sat, Feb 28, 2015 at 4:48 AM, Robert Senger rs-...@microscopium.de wrote: Hi Matt, in my understanding, rndc reload zone in view reloads the zone file only, not the configuration where the matched-clients { } statement is listed. So, you'll have to run a full config reload if you change the matched-clients { } list. I just wonder why you want to move a client's ip from one view to the other? Cheers, Robert Am Samstag, den 28.02.2015, 04:27 -0800 schrieb Matt Calder: .57.0.0/24 is still matched by view1. Is there any way to accomplish this? -- Robert Senger robert.sen...@microscopium.de PGP/GPG Public Key ID: 24E78B5E ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update the ip addresses list defined within acl clause
On Jan 29, 2014, at 7:45 AM, Pika.Aman a...@thingsto.me wrote: Hi there, I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! You could put the definition of the ACL into a file that you INCLUDE into the config file and then, when you modify it, do a rndc reconfig which should not impact your service too much. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update the ip addresses list defined within acl clause
On 29.01.14 14:45, Pika.Aman wrote: I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! No, the dynamic configuration like this is not supported. However, you should be able to configure signature-based updates (I think SIG(0) does that). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic update the ip addresses list defined within acl clause
Hi there, I would like to ask if there exists any way to dynamic update the ip addresses in the list of the ACL clause without reload or re-start the bind server? Hoping someone can help me! Thank you!! -- Pika Aman Sent with Sparrow (http://www.sparrowmailapp.com/?sig) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
Augie, On Monday, 2013-02-04 19:01:38 -0600, Jeremy C. Reed jr...@isc.org wrote: On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. This specific change should mean that adding IP-based ACL will not slow down ACL performance. However, if you are using TSIG-based ACL then we can't store them in a radix tree, and these still scale linearly with the number of entries, IIRC. I suppose we can change this to a tree-based structure at some point if there is a real need for large TSIG-based ACL. It still won't be as fast as IP-based ACL, but it should be much faster than the simple list-based implementation we have now. Cheers, -- Shane ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Performance impact of a large ACL list.
Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. -- Augie Schwer-au...@schwer.us-http://schwer.us ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ACL per listening IP address ?
I have several multi-homed caching servers and am using anycast. Each server has it's native interface and then all of them advertise two other IP addresses, 128.83.185.40 and 128.83.185.41. BIND only listens on these other two IP addresses. There is no problem with this setup, it works fine and queries are serviced without problem. options { listen-on port 53 { 128.83.185.40; 128.83.185.41; }; Since these different physical servers are advertising the same IP addresses (the two above), verifying the status/health of the instance of BIND is tricky. Basically we have a script running on each server which is used by our monitoring service. Is there a way to apply individual BIND ACLs to each of the listening interfaces, restricting who can query that particular address? My idea is to add the native (unique) interface to named.conf but only allow certain IP addresses to issue queries against it. I'm not very familiar with the concept of views but I wonder if the match-client statement might be the way to go. Alternatively we can setup an external ACL (or firewall statement) that only allows queries to the native address from our monitoring service. Clear as mud? Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL per listening IP address ?
I'm not very familiar with the concept of views but I wonder if the match-client statement might be the way to go. It sounds like the one you're interested in is match-destinations actually. options { listen-on port 53 { 128.83.185.40; 128.83.185.41; NATIVE IP; }; ... }; view monitor { match-destinations { NATIVE IP; }; recursion no; allow-query { localhost; }; zone testzone { type master; file test.db; }; }; view others { match-destinations { any; }; recursion yes; allow-recursion { ... }; ... }; Any queries sent to NATIVE IP would then be routed into the monitor view, and any queries sent to the public-facing addresses would go to the others view. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors during start-up. I'm opening a bug ticket for you. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net' (its IP address is 101.1.2.1), then if I put the 'also-notify { 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when the zone file is modified, notify messages will be sen to 101.1.1.1, 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right? Yes (except for the master listed in the SOA record), and unless you have 'notify explicit;' set. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with ACL in named.conf
I tried to use the acl statement in my named.conf file, but I have a hard time making it work. In my named.conf file, I've put these acl statements in these formats (made up IP addresses mind you):- -- // Individual ACL list acl addr1 { 11.22.33.44; 12.23.34.45; }; acl addr2 { 22.33.44.55; 5.4.3.2; 99.0.0.0; }; acl addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; // Nested ACLs list acl alladdr { addr1; addr2; addr3; }; Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, as shown below, BIND will fail to start:- --- zone example.net { type master; file examplenet.conf; allow-transfer { alladdr; }; also-notify { alladdr; }; key-directory keys/examplenet/; inline-signing yes; auto-dnssec maintain; }; --- Here is the log:- -- BIND 9 is maintained by Internet Systems Consortium, Inc. (ISC), a non-profit 501(c)(3) public-benefit corporation. Support and training for BIND 9 are available at https://www.isc.org/support adjusted limit on open files from 1024 to 1048576 found 1 CPU, using 1 worker thread using 1 UDP listener per interface using up to 4096 sockets loading configuration from '/etc/named.conf' reading built-in trusted keys from file '/etc/named.iscdlv.key' using default UDP/IPv4 port range: [1024, 65535] using default UDP/IPv6 port range: [1024, 65535] listening on IPv4 interface lo, 127.0.0.1#53 listening on IPv4 interface venet0:0, redacted#53 listening on IPv6 interface lo, ::1#53 listening on IPv6 interface venet0, redacted#53 generating session key for dynamic DNS sizing zone task pool based on 10 zones /etc/named.conf:111: masters alladdr not found loading configuration: not found exiting (due to fatal error) - From examples I read from the Internet, I don;t think I have done anything wrong. If I put all the IP addresses from addr1, addr2 and addr3 into the allow-transfer and also-notify statements, BIND will start normally without problems. Thanks for reading. -- Bryan S.G. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar. That said, this is a very annoying problem that I wish there was a better solution for. I used to build my conf files with m4 to work around this, but that was a big hammer for a very large installation. You might be able to do something simpler by putting notes in the conf to remind people who update 1 area to also update the other. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On Thu, 30 Aug 2012, GS Bryan wrote: also-notify { alladdr; }; This uses an ip_addr instead of an address_match_list. Some versions of named-checkconf will tell you expected IP address. /etc/named.conf:111: masters alladdr not found I can't reproduce your problem. What version of BIND are you running? (I am surprised it didn't log the version.) Also please consider using named-checkconf in your testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
In message CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=q...@mail.gmail.com , GS Bryan writes: I tried to use the acl statement in my named.conf file, but I have a hard time making it work. In my named.conf file, I've put these acl statements in these formats (made up IP addresses mind you):- -- // Individual ACL list acl addr1 { 11.22.33.44; 12.23.34.45; }; acl addr2 { 22.33.44.55; 5.4.3.2; 99.0.0.0; }; acl addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; // Nested ACLs list acl alladdr { addr1; addr2; addr3; }; Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, as shown below, BIND will fail to start:- also-notify does not take a ACL (it is not a access control). It will take a named masters list. --- zone example.net { type master; file examplenet.conf; allow-transfer { alladdr; }; also-notify { alladdr; }; key-directory keys/examplenet/; inline-signing yes; auto-dnssec maintain; }; --- Here is the log:- -- BIND 9 is maintained by Internet Systems Consortium, Inc. (ISC), a non-profit 501(c)(3) public-benefit corporation. Support and training for BIND 9 are available at https://www.isc.org/support adjusted limit on open files from 1024 to 1048576 found 1 CPU, using 1 worker thread using 1 UDP listener per interface using up to 4096 sockets loading configuration from '/etc/named.conf' reading built-in trusted keys from file '/etc/named.iscdlv.key' using default UDP/IPv4 port range: [1024, 65535] using default UDP/IPv6 port range: [1024, 65535] listening on IPv4 interface lo, 127.0.0.1#53 listening on IPv4 interface venet0:0, redacted#53 listening on IPv6 interface lo, ::1#53 listening on IPv6 interface venet0, redacted#53 generating session key for dynamic DNS sizing zone task pool based on 10 zones /etc/named.conf:111: masters alladdr not found loading configuration: not found exiting (due to fatal error) - From examples I read from the Internet, I don;t think I have done anything wrong. If I put all the IP addresses from addr1, addr2 and addr3 into the allow-transfer and also-notify statements, BIND will start normally without problems. A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. The acl addr3 you have above is short hand for: acl addr3 { 111.3.4.5/32; 2001:3000::1/128; 122.3.4.5/32; 2001:3000::2/128; }; You could define master lists as use those. e.g. master addr3 { 111.3.4.5; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; you can even tell named to use specify keys and ports when talking to the server. master addr3 { 111.3.4.5 port 333 key ; 2001:3000::1; 122.3.4.5; 2001:3000::2; }; Mark Thanks for reading. -- Bryan S.G. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 08/29/2012 04:02 PM, Mark Andrews wrote: A plain address in a acl is shorthand for address/32 or address/128 depending apon the address type. While they are visually similar the two list are functionally very different. Mark, I understand the behind the scenes reasons why the 2 things are handled differently. But I still think it would be awesome to have a new kind of list that accepts bare IP addresses, and can be used inside both allow-transfer and also-notify. It's a really common issue to need to configure the same list for both, and having to do it twice in the first place, and then keep it updated twice down the road, really screams out for a programmatic solution. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net' (its IP address is 101.1.2.1), then if I put the 'also-notify { 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when the zone file is modified, notify messages will be sen to 101.1.1.1, 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right? -- Bryan S.G. On Thu, Aug 30, 2012 at 9:42 AM, Doug Barton do...@dougbarton.us wrote: On 08/29/2012 03:25 PM, GS Bryan wrote: Then when I put the 'alladdr' thing in my 'allow-transfer' and 'also-notify' arguments, also-notify does not take an acl. The ARM will give you more information on the grammar. That said, this is a very annoying problem that I wish there was a better solution for. I used to build my conf files with m4 to work around this, but that was a big hammer for a very large installation. You might be able to do something simpler by putting notes in the conf to remind people who update 1 area to also update the other. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. On Thu, Aug 30, 2012 at 9:59 AM, Jeremy C. Reed jr...@isc.org wrote: On Thu, 30 Aug 2012, GS Bryan wrote: also-notify { alladdr; }; This uses an ip_addr instead of an address_match_list. Some versions of named-checkconf will tell you expected IP address. /etc/named.conf:111: masters alladdr not found I can't reproduce your problem. What version of BIND are you running? (I am surprised it didn't log the version.) Also please consider using named-checkconf in your testing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
undefined ACL error while running named-checkconf file
Hello, I am running slave DNS server using BIND. Today when try to run named-checkconf file as below , i am getting highlighted error. Kindly assist me [root@server]# named-checkconf /etc/named.rfc1912.zones /etc/named.rfc1912.zones:78: undefined ACL 'redhat' /etc/named.rfc1912.zones:85: undefined ACL 'redhat' /etc/named.rfc1912.zones:92: undefined ACL 'redhat' /etc/named.rfc1912.zones:100: undefined ACL 'redhat' My /etc/named.rfc1912.zones file is given below zone . IN { type hint; file named.ca; }; zone 227.18.217.in-addr.arpa IN { type slave; file slaves/svns.company.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 226.18.217.in-addr.arpa IN { type slave; file slaves/MX.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 225.18.217.in-addr.arpa IN { type slave; file slaves/VPN.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 232.18.217.in-addr.arpa IN { type slave; file slaves/drns.company.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; 2. My /etc/named.caching-nameserver.conf file content acl redhat { any; }; options { listen-on port 53 { 127.0.0.1; 10.0.0.2; }; directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; memstatistics-file /var/named/data/named_mem_stats.txt; query-source port 53; logging { channel default_debug { file data/named.run; severity dynamic; }; channel my_file { file data/log.msgs; severity dynamic; }; category queries { my_file; }; }; view localhost_resolver { match-clients { localhost; 10.0.0.1/23; any; }; match-destinations { localhost; }; recursion yes; include /etc/named.rfc1912.zones; Regards Papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: undefined ACL error while running named-checkconf file
On 03/12/2011 10:57, babu dheen wrote: Hello, I am running slave DNS server using BIND. Today when try to run named-checkconf file as below , i am getting highlighted error. Kindly assist me [root@server]# named-checkconf /etc/named.rfc1912.zones /etc/named.rfc1912.zones:78: undefined ACL 'redhat' /etc/named.rfc1912.zones:85: undefined ACL 'redhat' /etc/named.rfc1912.zones:92: undefined ACL 'redhat' /etc/named.rfc1912.zones:100: undefined ACL 'redhat' Isn't it kind of obvious? You are checking the syntax of the file named.rfc1912.zones, but the ACL is refers to is defined in another file. How will named-checkconf know that the ACL is in another file called named.caching-nameserver.conf? You would do better to run named-checkconf on named.caching-nameserver.conf. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: undefined ACL error while running named-checkconf file
Dear Anand, Yes, both primary and slave running with different version. Will it cause any problem if both are running with different version? --- On Sat, 3/12/11, Anand Buddhdev ana...@ripe.net wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: undefined ACL error while running named-checkconf file To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Saturday, 3 December, 2011, 5:26 PM On 03/12/2011 12:44, babu dheen wrote: Babu, I am maintaining the same configuration on primary server but when i execute the same command refering /etc/named.rfc1912.zones file, i am not getting any error. Are the files identical? Are the versions of BIND on both servers the same? Obviously, there must be something different, which results in the error message. But when i execute the same command in my slave server, i am getting this error. Can you tell me how to enable the debug logs in bind? Try reading the BIND manual first. If you don't understand something specific, ask about it on the bind-users mailing list. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
correct syntax for TSIG IP restrictions for named-ACL versus just IP?
i've bind9 running as a primaryhost to a number of bind-andb-other slaves. i'm trying to set up to use different TSIG keys with different secondaries. in my named.conf, i've ... acl acl_slave_1 { 1.1.1.1; }; acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; }; ... zone test.com { type master; file /master/test.com.hosts; allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; allow-update { none; }; }; ... key key-slave-1 { algorithm hmac-md5; secret Cf...g==; }; key key-slave-2 { algorithm hmac-md5; secret rl...8==; }; in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO* IXFR occurs to any slave in acl_slave_2{}. if, however, I change to --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; +++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!2.2.2.2;}; key key-slave-2; }; }; IXFR to 1.1.1.1 2.2.2.2 both occur OK with TSIG. also, with --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; acl_slave_2; }; IXFR to 1.1.1.1 with TSIG to all slaves in acl_slave_2{}, without TSIG, both occur OK. what's the right syntax for enabling IXFR to the entire TSIG- IP-restricted set of hosts in acl_slave_2{}? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
Given that you control your key distribution correctly and safely, would the following work? allow-transfer { key key-slave-1; key key-slave-2; }; Only relevant slaves have the various keys, so do you need to have the IPs mentioned here? On 05/12/10 18:10, pgngw+dev001+bind-us...@f-m.fm wrote: i've bind9 running as a primaryhost to a number of bind-andb-other slaves. i'm trying to set up to use different TSIG keys with different secondaries. in my named.conf, i've ... acl acl_slave_1 { 1.1.1.1; }; acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4.4.4.4; 5.5.5.5; }; ... zone test.com { type master; file /master/test.com.hosts; allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; allow-update { none; }; }; ... key key-slave-1 { algorithm hmac-md5; secret Cf...g==; }; key key-slave-2 { algorithm hmac-md5; secret rl...8==; }; in this conf, IXFR to 1.1.1.1 with TSIG works as expected. but, *NO* IXFR occurs to any slave in acl_slave_2{}. if, however, I change to --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; +++ allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!2.2.2.2;}; key key-slave-2; }; }; IXFR to 1.1.1.1 2.2.2.2 both occur OK with TSIG. also, with --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; { !{!acl_slave_2;}; key key-slave-2; }; }; --- allow-transfer { { !{!1.1.1.1;}; key key-slave-1; }; acl_slave_2; }; IXFR to 1.1.1.1 with TSIG to all slaves in acl_slave_2{}, without TSIG, both occur OK. what's the right syntax for enabling IXFR to the entire TSIG- IP-restricted set of hosts in acl_slave_2{}? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi, On Sun, 05 Dec 2010 19:16 +0100, Sten Carlsen st...@s-carlsen.dk wrote: Given that you control your key distribution correctly and safely, would the following work? allow-transfer { key key-slave-1; key key-slave-2; }; Only relevant slaves have the various keys, so do you need to have the IPs mentioned here? the goal is to have both IP- key- restrictions in place. fwiw, the orig example i found for this was @: https://lists.isc.org/pipermail/bind-users/2009-April/075985.html thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
what's the right syntax for enabling IXFR to the entire TSIG- IP-restricted set of hosts in acl_slave_2{}? I haven't tested this, but I think it will do what you want: allow-transfer { { !{ !1.1.1.1; any; }; key key1; }; { !{ !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; key key2; }; }; If you want to use named ACLs, then I think you need to define them backwards, to reject not accept, something like this: # pass through any host except slave1 hosts acl notslave1 { !1.1.1.1; any; }; # pass through any host except slave2 hosts acl notslave2 { !2.2.2.2; !3.3.3.3; !4.4.4.4; any; }; allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; I wrote an explanation of BIND ACLs on this list a few years back that you may find helpful in explaining the syntactic insanity: http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: correct syntax for TSIG IP restrictions for named-ACL versus just IP?
hi, On Sun, 05 Dec 2010 20:57 +, Evan Hunt e...@isc.org wrote: I haven't tested this, but I think it will do what you want: ... allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; this !acl format works, but only in the single ACL case. i.e., allow-transfer { { !notslave1; key key1; }; none; }; allow-transfer { { !notslave2; key key2; }; none; }; both work as expected. but, allow-transfer { { !notslave1; key key1; }; { !notslave2; key key2; }; none; }; only enables AXFR to slave1 -- slave2 no longer seems to initiate any transfers, as if it's not getting any notify. still poking around ... I wrote an explanation of BIND ACLs on this list a few years back that you may find helpful in explaining the syntactic insanity: http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html yes, to 'insanity', and yes to 'helpful'. thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2
Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2 Description: There was a flaw where the wrong ACL was applied. This flaw could allow access to a cache via recursion even though the ACL disallowed it. CVE: pending CERT: pending Posting date: 2010-09-28 Program Impacted: BIND Versions affected: 9.7.2 through 9.7.2-P1 Severity: low Exploitable: remotely Impact: Unintended availability of cache data. Workaround: Upgrade to BIND 9.7.2-P2. No other workaround is currently known. Risk Assessment: This bug is primarily a risk to operators running both authoritative and recursive DNS on the same BIND server in the same view. Acknowledgements: Thank you to Alexandre Simon for finding and testing this issue. For more information on BIND 9.7.2-P2, Release notes can be found at: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html Please address questions or concerns to laris...@isc.org or security-offi...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ACL for forward zone
Hello all, I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf acl Internal {10.0.1.0/24) zone 10.in-addr.arpa in { type forward; forwarders { 1.2.3.4; 5.6.7.8; }; allow-query { Internal; }; However it appears I can't use 'allow query' option in forward zone as seen in the syslog /etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone '10.in-addr.arpa' Basically you know what I'm trying to achieve. So if anyone has any tip how can I use forward from the clients only within certain IP address range, that would be great. Prabhat. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL for forward zone
Hi Prabhat, I think you don't need this ACL in your forwarder server, define it on the authoritative server (1.2.3.4 and 5.6.7.8, according to your example). Regards, Nuno Paquete No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com escreveu: Hello all, I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf acl Internal {10.0.1.0/24) zone 10.in-addr.arpa in { type forward; forwarders { 1.2.3.4; 5.6.7.8; }; allow-query { Internal; }; However it appears I can't use 'allow query' option in forward zone as seen in the syslog /etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone '10.in-addr.arpa' Basically you know what I'm trying to achieve. So if anyone has any tip how can I use forward from the clients only within certain IP address range, that would be great. Prabhat. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL for forward zone
Hi Nuno, Thanks for the response. However, I don't own the authoritative servers. And the clients that I am serving don't have direct access to the authoritative servers. Prabhat. --- On Mon, 7/12/10, Nuno Paquete nunopaqu...@lusocargo.pt wrote: From: Nuno Paquete nunopaqu...@lusocargo.pt Subject: Re: ACL for forward zone To: Prabhat Rana prana9...@yahoo.com Cc: bind-users@lists.isc.org Date: Monday, July 12, 2010, 4:17 PM Hi Prabhat, I think you don't need this ACL in your forwarder server, define it on the authoritative server (1.2.3.4 and 5.6.7.8, according to your example). Regards, Nuno Paquete No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com escreveu: Hello all, I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf acl Internal {10.0.1.0/24) zone 10.in-addr.arpa in { type forward; forwarders { 1.2.3.4; 5.6.7.8; }; allow-query { Internal; }; However it appears I can't use 'allow query' option in forward zone as seen in the syslog /etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone '10.in-addr.arpa' Basically you know what I'm trying to achieve. So if anyone has any tip how can I use forward from the clients only within certain IP address range, that would be great. Prabhat. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL for forward zone
The syntax for a forward zone is: zone domain_name http://www.bind9.net/doc-v8/docdef.html [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr http://www.bind9.net/doc-v8/docdef.html ; [ ip_addr ; ... ] ] }; ] [ check-names ( warn | fail | ignore ); ] }; For the kind of access control you're trying to achieve, use a view. The syntax is as follows. view view_name [class] { match-clients { address_match_list }; match-destinations { address_match_list }; match-recursive-only yes_or_no ; [ view_option; ...] [ zone_statement; ...] }; Do some perusing of the Administrator's Reference Manual (ARM). You might find the information in there quite useful. Regards, Richard Prabhat Rana wrote: Hi Nuno, Thanks for the response. However, I don't own the authoritative servers. And the clients that I am serving don't have direct access to the authoritative servers. Prabhat. --- On Mon, 7/12/10, Nuno Paquete nunopaqu...@lusocargo.pt wrote: From: Nuno Paquete nunopaqu...@lusocargo.pt Subject: Re: ACL for forward zone To: Prabhat Rana prana9...@yahoo.com Cc: bind-users@lists.isc.org Date: Monday, July 12, 2010, 4:17 PM Hi Prabhat, I think you don't need this ACL in your forwarder server, define it on the authoritative server (1.2.3.4 and 5.6.7.8, according to your example). Regards, Nuno Paquete No dia 2010/07/12, às 19:27, Prabhat Rana prana9...@yahoo.com escreveu: Hello all, I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf acl Internal {10.0.1.0/24) zone 10.in-addr.arpa in { type forward; forwarders { 1.2.3.4; 5.6.7.8; }; allow-query { Internal; }; However it appears I can't use 'allow query' option in forward zone as seen in the syslog /etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone '10.in-addr.arpa' Basically you know what I'm trying to achieve. So if anyone has any tip how can I use forward from the clients only within certain IP address range, that would be great. Prabhat. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain Cablevision proprietary information, which is privileged, confidential, or subject to copyright belonging to Cablevision. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
any IPv6 ACL for BIND
hi all, is there a built-in ACL that represents any IPv6 connection? I have some experiment with allow-query { aclhere; }; where aclhere represents any IPv6 network, anywhere from the Internet. If there's no built-in, what is the best way to come up with an equivalent? Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any IPv6 ACL for BIND
If there's no built-in, what is the best way to come up with an equivalent? I think this will work: acl any6 { ::0/0; }; acl any4 { 0.0.0.0/0; }; -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check-names vs. acl
In message 20100225123134.gb2...@fantomas.sk, Matus UHLAR - fantomas writes: On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? On 26.02.10 13:08, Mark Andrews wrote: It really depends what's more important for you to see. Whether you got a recursive query that didn't match a acl or a query that failed check-names. Both get REFUSED so the client can't tell the difference. I personally don't care about broken requests from unknown IPs and would like to log them as unauthorized, not invalid requests. My question is if this is acceptable and doable. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check-named vs. acl
Hello, I see that hosts that are not allowed to recurse are often generating check-named errors. I wonder if it wouldn't be better to check ACL's first and check-names just after it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check-names vs. acl
On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check-names vs. acl
In message 20100225123134.gb2...@fantomas.sk, Matus UHLAR - fantomas writes: On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? It really depends what's more important for you to see. Whether you got a recursive query that didn't match a acl or a query that failed check-names. Both get REFUSED so the client can't tell the difference. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
On Sun, Oct 18, 2009 at 03:35:34PM +0100, Chris Thompson wrote: ... As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Yes. I meant to say, wherever statements are legal. I did not note that there are statements that allow other statements inside themselves; only inside such statements are other statements legal. There are specifically documented lists of which are legal within which; I do not remember if those lists are complete - in the light of changes being made, I would not be surprised either way. For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( As I've said before, only the code never lies. But it may take some exegesis. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
On 19.10.09 09:49, Mark Andrews wrote: acl's can include other acls. I'm having a hard time seeing why you need to include a file here. include custom.acl; // defines acl customacl acl hdanets { 92.168.1.0/24; // hda network customacl; }; otoh, it could ease configuration of multiple files if only plain IP/CIRD list could be loaded within an ACL statement... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. That's what it *says* ... but it is being economical with the truth! Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
Chris Thompson wrote: On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. That's what it *says* ... but it is being economical with the truth! Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Oh, fiddlesticks ;)' This complicates matters. It would have made it very easy to bootstrap into this process if this was supported. For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( I am not much into reading c code. I never really programmed in c. Did do some programming in b So reading someone elses script and recommending changes has been challenging enough! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes: Chris Thompson wrote: On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. That's what it *says* ... but it is being economical with the truth! Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Oh, fiddlesticks ;)' This complicates matters. It would have made it very easy to bootstrap into this process if this was supported. acl's can include other acls. I'm having a hard time seeing why you need to include a file here. include custom.acl; // defines acl customacl acl hdanets { 92.168.1.0/24; // hda network customacl; }; For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( I am not much into reading c code. I never really programmed in c. Did do some programming in b So reading someone elses script and recommending changes has been challenging enough! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
Mark Andrews wrote: In message 4adb44a5.2060...@htt-consult.com, Robert Moskowitz writes: Chris Thompson wrote: On Oct 18 2009, Joseph S D Yao wrote: On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. That's what it *says* ... but it is being economical with the truth! Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. As long ago as BIND 9.2, you'll find this in the CHANGES file: 764. [func] Configuration files now allow include directives in more places, such as inside the view statement. [RT #377, #728, #860] Roughly, include can occur instead of a keyword in any list where all list elements are introduced by keywords; e.g. view, options, logging, zone. But not acl because the elements there do not (in general) start with keywords. Oh, fiddlesticks ;)' This complicates matters. It would have made it very easy to bootstrap into this process if this was supported. acl's can include other acls. I'm having a hard time seeing why you need to include a file here. include custom.acl; // defines acl customacl acl hdanets { 92.168.1.0/24; // hda network customacl; }; Neat. Though I solved the problem by having 2 includes in named.conf, for named.acl and custom.acl. Then in the view, I listed two variables: hdanets; customnets So is the case of six of one, half-a-dozen of the other? That is they are equal solutions to this situation? As for why I am doing this, hdanets.acl is built by the system's script that I have no control over. It will contain what the script has on my internal networks. It only supports one network. But some users of this system (like me) have a number of internal networks that we want to be able to access this system, so custom.acl is outside of the controlling script and can be maintained by an informed installer, like me. There is also a custom-zone.conf and custom-n2a.zone and custom-a2n.zone... As we improve the system, there will be less need for these, but I believe they will always be needed. Oh, the system this is for is AMAHI.ORG. For the whole truth, you need to look at lib/isccfg/namedconf.c and lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody in the latter gets called :-( I am not much into reading c code. I never really programmed in c. Did do some programming in b So reading someone elses script and recommending changes has been challenging enough! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problems with include in acl file
I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' [FAILED] The file custom.acl exists and it contains: 192.168.2.0/24; Perhaps includes are not allowed in .acl files? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with include in acl file
On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote: I am trying to build up an environment where the user can maintain custom files and leave the basic files alone. So I have a named.acl that works, I add an include line: acl hdanets { 192.168.1.0/24; // hda network include custom.acl; }; and get the error: Starting named: Error in named configuration: named.acl:3: missing ';' before '' ... Glancing through the 9.6 ARM https://www.isc.org/files/Bv9.6ARM.pdf, it seems to me that include is a statement, and needs to be parsed outside of any other statements, not inside a statement. Inside the acl statement the parser would expect to see IP addresses, networks in the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword key, and the names of other ACLs. When it encounters the word include in this context, it parses it as the name of an ACL - after which, the '' is out of place. It seems to me. [Hmmm ... one can include {lists; in; braces;}; inside ACL lists - I'm not sure how this is useful here.] Another way of saying this - unlike in the C language, where #include is part of a meta-language pre-processor run before the actual language processor, in the configuration file, include is a part of the actual language being parsed, and so must appear only where it's expected, and not at any random position. I hope that this helps. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ACL ?
Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading configuration failed: failure Help? Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL ?
Worked like a charm. Thanks. -John Alan Clegg wrote: John D. Vo wrote: Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading configuration failed: failure Move the ACL out of the options { } stanza. AlanC -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL ?
In message 49c79d6b.7060...@eagle.net, John D. Vo writes: Greetings: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading configuration failed: failure You have the acl in the wrong place in named.conf. It should be like: acl { }; options { }; not options { acl { ... }; ... }; Mark Help? Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL ?
On Mar 23 2009, John D. Vo wrote: Trying to implement acl in my named.conf... for Bind 9.2.2 acl eagle { 192.168.1.0/24; localhost; }; But when I issued an reload, I got: Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] /etc/named.conf:2: unknown option 'acl' Mar 23 08:55:39 ns1 named[13578]: [ID 866145 daemon.error] reloading configuration failed: failure Well, you ought to have let us see what was in line 1 of /etc/named.conf, but I guess you have put your ACL definition inside the options statement. It should be a separate statement. A couple of points: 1. You can (and should) test a new named.conf for syntax errors in advance by using the named-checkconf program. 2. BIND 9.2.2 is very very old. The whole of the 9.2.x series is EOL (and that was after 9.2.9). It's long past time that you upgraded. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate ACL based on a key AND ip-subnet
On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote: Use a firewall (with deep packet inspection) to restrict by subnet. Then use the TSIG key in the allow-update statement. Unfortunately, to my knowledge, that's the only way to do this. Wouldn't using a BIND view to restrict by subnet work instead of a firewall? /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users