Re: 9.7.0a2 - deny-answer-addresses
At Tue, 25 Aug 2009 22:08:11 +0200, clemens fischer ino-n...@spotteswoode.dnsalias.org wrote: How about the patch copied below? With this it would fail like this: 24-Aug-2009 16:46:41.334 /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists 24-Aug-2009 16:46:41.334 loading configuration: already exists 24-Aug-2009 16:46:41.334 exiting (due to fatal error) [1]6321 exit 1 ./named -c named.conf -g The text itself would have been right on my nose. I'm not sure about the fatal error, though. If I only get to see a warning when using rndc reload on a running named(8), this solution is perfect. If you mean when you incorrectly edit named.conf with a duplicate name for deny-answer-* and do rndc reload then named will just reject the new configuration file with the warning and keep running, it will behave that way (it's not different from other fatal configuration errors). This change will appear in 9.7.0a3. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
At Fri, 21 Aug 2009 10:42:31 -0500 (CDT), Jeremy C. Reed jr...@isc.org wrote: deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { zen.spamhaus.org; dnsbl-1.uceprotect.net; dnsbl-1.uceprotect.net; This is repeated, resulting in already exists (via the RBT code). Maybe we can improve the configuration failure logging for this. How about the patch copied below? With this it would fail like this: 24-Aug-2009 16:46:41.334 /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists 24-Aug-2009 16:46:41.334 loading configuration: already exists 24-Aug-2009 16:46:41.334 exiting (due to fatal error) [1]6321 exit 1 ./named -c named.conf -g --- JINMEI, Tatuya Index: server.c === RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v retrieving revision 1.540 diff -u -r1.540 server.c --- server.c5 Aug 2009 17:35:33 - 1.540 +++ server.c24 Aug 2009 23:47:35 - @@ -431,7 +431,14 @@ * for baz.example.com, which is not the expected result. * We simply use (void *)1 as the dummy data. */ - CHECK(dns_rbt_addname(*rbtp, name, (void *)1)); + result = dns_rbt_addname(*rbtp, name, (void *)1); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR, + failed to add %s for %s: %s, + str, confname, isc_result_totext(result)); + goto cleanup; + } + } return (result); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
On Fri, 21 Aug 2009, clemens fischer wrote: BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2' '--with-openssl=yes' '--disable-linux-caps' '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O' Thank you very much for testing the alpha release. deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { zen.spamhaus.org; dnsbl-1.uceprotect.net; dnsbl-1.uceprotect.net; This is repeated, resulting in already exists (via the RBT code). Maybe we can improve the configuration failure logging for this. ix.dnsbl.manitu.net; }; I get: received SIGHUP signal to reload zones loading configuration from '/usr/local/etc/named.conf' ... reloading configuration failed: already exists Putting a suitably modified version of deny-answer-addresses into a forwarder zone returns: Not supported in a type forward zone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
Jeremy C. Reed wrote: Thank you very much for testing the alpha release. My pleasure! I had a workaround resulting in dns-rebind protection in my pdnsd[1] resolver, but pdnsd doesn't support dnssec and a few other features. [1] http://www.phys.uu.nl/~rombouts/pdnsd.html deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { zen.spamhaus.org; dnsbl-1.uceprotect.net; dnsbl-1.uceprotect.net; This is repeated, resulting in already exists (via the RBT code). Maybe we can improve the configuration failure logging for this. Now do I believe that! I must have read these lines dozens of times but missed the obvious duplication! Not supported in a type forward zone. deny-answer-addresses might be helpful in forwarding and maybe even server zones. clemens ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users