Problem with ACL in named.conf

GS Bryan chifuyu at anime.my
Thu Aug 30 01:25:00 UTC 2012 

I tried to use the acl statement in my named.conf file, but I have a
hard time making it work. In my named.conf file, I've put these acl
statements in these formats (made up IP addresses mind you):-

----------
// Individual ACL list

acl addr1 {
	11.22.33.44;
	12.23.34.45;
};

acl addr2 {
	22.33.44.55;
	5.4.3.2;
	99.0.0.0;
};

acl addr3 {
	111.3.4.5;
	2001:3000::1;
	122.3.4.5;
	2001:3000::2;
};


// Nested ACLs list

acl alladdr {
	addr1;
	addr2;
	addr3;
};

------------

Then when I put the 'alladdr' thing in my 'allow-transfer' and
'also-notify' arguments, as shown below, BIND will fail to start:-

-----------

zone "example.net" {
        type master;
        file "examplenet.conf";
        allow-transfer { "alladdr"; };
        also-notify { "alladdr"; };
		key-directory "keys/examplenet/";
		inline-signing yes;
		auto-dnssec maintain;
};

-------

Here is the log:-

------
----------------------------------------------------
BIND 9 is maintained by Internet Systems Consortium,
Inc. (ISC), a non-profit 501(c)(3) public-benefit
corporation.  Support and training for BIND 9 are
available at https://www.isc.org/support
----------------------------------------------------
adjusted limit on open files from 1024 to 1048576
found 1 CPU, using 1 worker thread
using 1 UDP listener per interface
using up to 4096 sockets
loading configuration from '/etc/named.conf'
reading built-in trusted keys from file '/etc/named.iscdlv.key'
using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface venet0:0, <redacted>#53
listening on IPv6 interface lo, ::1#53
listening on IPv6 interface venet0, <redacted>#53
generating session key for dynamic DNS
sizing zone task pool based on 10 zones
/etc/named.conf:111: masters "alladdr" not found
loading configuration: not found
exiting (due to fatal error)
-----

>From examples I read from the Internet, I don;t think I have done
anything wrong. If I put all the IP addresses from addr1, addr2 and
addr3 into the allow-transfer and also-notify statements, BIND will
start normally without problems.

Thanks for reading.
--
Bryan S.G.

More information about the bind-users mailing list