subject:"Re\: 9.7.0a2 \- deny\-answer\-addresses"

Re: 9.7.0a2 - deny-answer-addresses

2009-08-26 Thread JINMEI Tatuya / 神明達哉

At Tue, 25 Aug 2009 22:08:11 +0200,
clemens fischer ino-n...@spotteswoode.dnsalias.org wrote:

  How about the patch copied below?  With this it would fail like this:
  
  24-Aug-2009 16:46:41.334
  /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to
  add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists
  24-Aug-2009 16:46:41.334 loading configuration: already exists
  24-Aug-2009 16:46:41.334 exiting (due to fatal error)
  [1]6321 exit 1 ./named -c named.conf -g
 
 The text itself would have been right on my nose.  I'm not sure about
 the fatal error, though.  If I only get to see a warning when using
 rndc reload on a running named(8), this solution is perfect.

If you mean when you incorrectly edit named.conf with a duplicate name
for deny-answer-* and do rndc reload then named will just reject the
new configuration file with the warning and keep running, it will
behave that way (it's not different from other fatal configuration
errors).

This change will appear in 9.7.0a3.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.7.0a2 - deny-answer-addresses

2009-08-24 Thread JINMEI Tatuya / 神明達哉

At Fri, 21 Aug 2009 10:42:31 -0500 (CDT),
Jeremy C. Reed jr...@isc.org wrote:

deny-answer-addresses {
127/8; 192.168/16; 10/8; 172.16/12;
} except-from {
zen.spamhaus.org;
dnsbl-1.uceprotect.net;
dnsbl-1.uceprotect.net;
 
 This is repeated, resulting in already exists (via the RBT code).
 
 Maybe we can improve the configuration failure logging for this.

How about the patch copied below?  With this it would fail like this:

24-Aug-2009 16:46:41.334 
/Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add 
dnsbl-1.uceprotect.net for deny-answer-addresses: already exists
24-Aug-2009 16:46:41.334 loading configuration: already exists
24-Aug-2009 16:46:41.334 exiting (due to fatal error)
[1]6321 exit 1 ./named -c named.conf -g

---
JINMEI, Tatuya

Index: server.c
===
RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v
retrieving revision 1.540
diff -u -r1.540 server.c
--- server.c5 Aug 2009 17:35:33 -   1.540
+++ server.c24 Aug 2009 23:47:35 -
@@ -431,7 +431,14 @@
 * for baz.example.com, which is not the expected result.
 * We simply use (void *)1 as the dummy data.
 */
-   CHECK(dns_rbt_addname(*rbtp, name, (void *)1));
+   result = dns_rbt_addname(*rbtp, name, (void *)1);
+   if (result != ISC_R_SUCCESS) {
+   cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
+   failed to add %s for %s: %s,
+   str, confname, isc_result_totext(result));
+   goto cleanup;
+   }
+   
}
 
return (result);
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.7.0a2 - deny-answer-addresses

2009-08-21 Thread Jeremy C. Reed

On Fri, 21 Aug 2009, clemens fischer wrote:

 BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
 '--with-openssl=yes' '--disable-linux-caps'
 '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'

Thank you very much for testing the alpha release.

   deny-answer-addresses {
   127/8; 192.168/16; 10/8; 172.16/12;
   } except-from {
   zen.spamhaus.org;
   dnsbl-1.uceprotect.net;
   dnsbl-1.uceprotect.net;

This is repeated, resulting in already exists (via the RBT code).

Maybe we can improve the configuration failure logging for this.

   ix.dnsbl.manitu.net;
   };
 
 I get:
 
   received SIGHUP signal to reload zones
   loading configuration from '/usr/local/etc/named.conf'
   ...
   reloading configuration failed: already exists
  
 Putting a suitably modified version of deny-answer-addresses into
 a forwarder zone returns:

Not supported in a type forward zone.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.7.0a2 - deny-answer-addresses

2009-08-21 Thread clemens fischer

Jeremy C. Reed wrote:

 Thank you very much for testing the alpha release.

My pleasure!  I had a workaround resulting in dns-rebind protection in
my pdnsd[1] resolver, but pdnsd doesn't support dnssec and a few other
features.

[1] http://www.phys.uu.nl/~rombouts/pdnsd.html

   deny-answer-addresses {
   127/8; 192.168/16; 10/8; 172.16/12;
   } except-from {
   zen.spamhaus.org;
   dnsbl-1.uceprotect.net;
   dnsbl-1.uceprotect.net;
 
 This is repeated, resulting in already exists (via the RBT code).
 
 Maybe we can improve the configuration failure logging for this.

Now do I believe that!  I must have read these lines dozens of times but
missed the obvious duplication!

 Not supported in a type forward zone.

deny-answer-addresses might be helpful in forwarding and maybe even
server zones.


clemens

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.7.0a2 - deny-answer-addresses

Re: 9.7.0a2 - deny-answer-addresses

Re: 9.7.0a2 - deny-answer-addresses

Re: 9.7.0a2 - deny-answer-addresses

4 matches

Site Navigation

Mail list logo

Footer information