Problem with ACL in named.conf
Mark Andrews
marka at isc.org
Thu Aug 30 02:02:42 UTC 2012
In message <CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=Q at mail.gmail.com>
, GS Bryan writes:
> I tried to use the acl statement in my named.conf file, but I have a
> hard time making it work. In my named.conf file, I've put these acl
> statements in these formats (made up IP addresses mind you):-
>
> ----------
> // Individual ACL list
>
> acl addr1 {
> 11.22.33.44;
> 12.23.34.45;
> };
>
> acl addr2 {
> 22.33.44.55;
> 5.4.3.2;
> 99.0.0.0;
> };
>
> acl addr3 {
> 111.3.4.5;
> 2001:3000::1;
> 122.3.4.5;
> 2001:3000::2;
> };
>
>
> // Nested ACLs list
>
> acl alladdr {
> addr1;
> addr2;
> addr3;
> };
>
> ------------
>
> Then when I put the 'alladdr' thing in my 'allow-transfer' and
> 'also-notify' arguments, as shown below, BIND will fail to start:-
also-notify does not take a ACL (it is not a access control).
It will take a named "masters" list.
> -----------
>
> zone "example.net" {
> type master;
> file "examplenet.conf";
> allow-transfer { "alladdr"; };
> also-notify { "alladdr"; };
> key-directory "keys/examplenet/";
> inline-signing yes;
> auto-dnssec maintain;
> };
>
> -------
>
> Here is the log:-
>
> ------
> ----------------------------------------------------
> BIND 9 is maintained by Internet Systems Consortium,
> Inc. (ISC), a non-profit 501(c)(3) public-benefit
> corporation. Support and training for BIND 9 are
> available at https://www.isc.org/support
> ----------------------------------------------------
> adjusted limit on open files from 1024 to 1048576
> found 1 CPU, using 1 worker thread
> using 1 UDP listener per interface
> using up to 4096 sockets
> loading configuration from '/etc/named.conf'
> reading built-in trusted keys from file '/etc/named.iscdlv.key'
> using default UDP/IPv4 port range: [1024, 65535]
> using default UDP/IPv6 port range: [1024, 65535]
> listening on IPv4 interface lo, 127.0.0.1#53
> listening on IPv4 interface venet0:0, <redacted>#53
> listening on IPv6 interface lo, ::1#53
> listening on IPv6 interface venet0, <redacted>#53
> generating session key for dynamic DNS
> sizing zone task pool based on 10 zones
> /etc/named.conf:111: masters "alladdr" not found
> loading configuration: not found
> exiting (due to fatal error)
> -----
>
> >From examples I read from the Internet, I don;t think I have done
> anything wrong. If I put all the IP addresses from addr1, addr2 and
> addr3 into the allow-transfer and also-notify statements, BIND will
> start normally without problems.
A plain address in a acl is shorthand for address/32 or address/128
depending apon the address type. While they are visually similar
the two list are functionally very different.
The acl addr3 you have above is short hand for:
acl addr3 {
111.3.4.5/32;
2001:3000::1/128;
122.3.4.5/32;
2001:3000::2/128;
};
You could define master lists as use those.
e.g.
master addr3 {
111.3.4.5;
2001:3000::1;
122.3.4.5;
2001:3000::2;
};
you can even tell named to use specify keys and ports when talking
to the server.
master addr3 {
111.3.4.5 port 333 key xxxx;
2001:3000::1;
122.3.4.5;
2001:3000::2;
};
Mark
> Thanks for reading.
> --
> Bryan S.G.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list