hint zone conflicts with allow-query statement !
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jan 26 23:10:17 UTC 2006
Bill Larson wrote:
>On Jan 26, 2006, at 2:40 PM, Mark Andrews wrote:
>
>
>
>>>Hi, I'm in trouble with a bind9.2.4 server running on Debian Sarge
>>>server
>>>:
>>>
>>>
>>>acl "acl_cache_clients" { 127.0.0.0/8; localnet; };
>>>
>>>zone "." {
>>> type hint;
>>> file "/etc/bind/db.root";
>>> allow-query { "acl_cache_clients"; };
>>>};
>>>
>>>and there is my logs :
>>>Jan 26 10:28:06 titou named[12721]: starting BIND 9.2.4 -u bind
>>>Jan 26 10:28:06 titou named[12721]: using 2 CPUs
>>>Jan 26 10:28:06 titou named[12721]: loading configuration from
>>>'/etc/bind/named.conf'
>>>Jan 26 10:28:06 titou named[12721]: /etc/bind/named.conf:19: option
>>>'allow-query' is not allowed in 'hint' zone '.'
>>>Jan 26 10:28:06 titou named[12721]: loading configuration: failure
>>>Jan 26 10:28:06 titou named[12721]: exiting (due to fatal error)
>>>
>>>
>>>I have another bind9 running on another Debian Sarge server, and it
>>>works
>>>well with same config for the hint zone !!!
>>>So what could go wrong with my config ???
>>>
>>>
>> Exactly what named said was wrong. Hint "zones" don't accept
>> allow-query. Allow-query doesn't make logical sense for a
>> hint zone.
>>
>>
>
>The BIND ARM says: "allow-query may also be specified in the zone
>statement, in which case it overrides the options allow-query
>statement." A "hint" zone is still a zone. It would appear that
>having an "allow-query" in a "hint" zone specification would be legal.
>(This is not to say that having an "allow-query" in a hint zone would
>make any sense though.)
>
>What you are saying is that a "hint" zone specification does not follow
>the same specification as a normal zone. Is this correct?
>
>
Syntactically, hints are defined as a "zone", but semantically, they're
just a collection of names and associated addresses which are used at
startup. It makes no sense to put an allow-query on the hints "zone",
since only the resolver itself, not any clients, ever see the contents
of that "zone"...
I've often thought that BIND should allow the hints to be specified
directly in named.conf as just a list of addresses. This might go a long
way towards eliminating the "zone" confusion.
- Kevin
More information about the bind-users
mailing list