can't get acl to work!

Mon Feb 12 02:32:41 UTC 2001

	Acl's should be defined outside of the options block.
	
	Mark

> 
> > Well first of all you should have shown *everything* that was in the
> > options{} statement, *exactly* as it was printed there. Luckily for
> > you it doesn't look there were any errors in the stuff you decided to
> > hide from us, but who knows for sure? Amongst other things, showing
> 
> sorry, didn't mean to upset anyone. I should also have mentioned that
> if I remove the acl statement (a // in front of it is enough) everything
> works as expected.
> 
> I took that acl statement right out of the named.conf sample in the source
> tree, the named.conf one used to check the parser.
> 
> Here is the complete file:
> 
> options {
> 	directory "/var/named";
> 	pid-file "/var/run/named.pid";
> 	notify no;
> 	acl can_query { !1.2.3/24; any; };
> 	allow-query { 127.0.0.1; 192.168.1.0/24; };
> 	allow-transfer {
> 		127.0.0.1;
> 		192.168.1.2;
> 	};
> 	allow-recursion { 127.0.0.1; 192.168.1.0/24; };
> 	check-names response warn;
> 	check-names master warn;
> 	listen-on {
> 		127.0.0.1;
> 		192.168.1.2;
> 		};
> 	};
> 
> zone "." {
> 	type hint;
> 	file "db.cache";
> 	};
> 
> zone "intra.schalter.com.br" {
> 	type master;
> 	file "intra.schalter.com.br.hosts";
> 	};
> 
> zone "1.168.192.in-addr.arpa" {
> 	type master;
> 	file "192.168.1.rev";
> 	};
> 
> zone "0.0.127.in-addr.arpa" {
> 	type master;
> 	file "127.0.0.rev";
> 	};
> 
> Yes, I don't even use the acl name. I first want it to work, i.e., pass OK
> through the parser.
> 
> Again, with this file, /etc/rc.d/init.d/named restart logs the following:
> 
> Jul 16 17:28:16 mail named[21668]: named shutting down
> Jul 16 17:28:16 mail named[21668]: USAGE 963779296 963776150 CPU=0u/0s CHILDC
> PU=0u/0s
> Jul 16 17:28:16 mail named[21668]: NSTATS 963779296 963776150 A=62 PTR=16 MX=
> 3
> Jul 16 17:28:16 mail named[21668]: XSTATS 963779296 963776150 RR=58 RNXD=2 RF
> wdR=46 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=11 SAns=5
> 9 SFwdQ=22 SDupQ=3 SErr=0 RQ=81 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=46 SFail=0
>  SFErr=0 SNaAns=47 SNXD=1
> Jul 16 17:28:16 mail named[21699]: starting.  named 8.2.2-P5 Wed Feb 16 05:32
> :07 BRDT 2000 ^Iroot at mapinguari.conectiva.com.br:/usr/src/rpm/BUILD/bind-8.2.
> 2P5/src/bin/named
> Jul 16 17:28:16 mail named[21699]: /etc/named.conf:5: syntax error near acl
> Jul 16 17:28:16 mail named[21699]: /etc/named.conf:6: syntax error near allow
> -query
> Jul 16 17:28:16 mail named[21699]: hint zone "" (IN) loaded (serial 0)
> Jul 16 17:28:16 mail named[21699]: Zone "intra.schalter.com.br" (file intra.s
> chalter.com.br.hosts): No default TTL set using SOA minimum instead
> Jul 16 17:28:16 mail named[21699]: intra.schalter.com.br.hosts: WARNING SOA e
> xpire value is less than 7 days (432000)
> Jul 16 17:28:16 mail named[21699]: intra.schalter.com.br.hosts:8: data "intra
> .embrasul.com.br" outside zone "intra.schalter.com.br" (ignored)
> Jul 16 17:28:16 mail named[21699]: master zone "intra.schalter.com.br" (IN) l
> oaded (serial 963175004)
> Jul 16 17:28:16 mail named[21699]: Zone "1.168.192.in-addr.arpa" (file 192.16
> 8.1.rev): No default TTL set using SOA minimum instead
> Jul 16 17:28:16 mail named[21699]: 192.168.1.rev: WARNING SOA expire value is
>  less than 7 days (432000)
> Jul 16 17:28:16 mail named[21699]: master zone "1.168.192.in-addr.arpa" (IN) 
> loaded (serial 963175021)
> Jul 16 17:28:16 mail named[21699]: Zone "0.0.127.in-addr.arpa" (file 127.0.0.
> rev): No default TTL set using SOA minimum instead
> Jul 16 17:28:16 mail named[21699]: 127.0.0.rev: WARNING SOA expire value is l
> ess than 7 days (432000)
> Jul 16 17:28:16 mail named[21699]: master zone "0.0.127.in-addr.arpa" (IN) lo
> aded (serial 963175854)
> Jul 16 17:28:16 mail named[21699]: listening on [127.0.0.1].53 (lo)
> Jul 16 17:28:16 mail named[21699]: listening on [192.168.1.2].53 (eth0)
> Jul 16 17:28:16 mail named[21699]: listening on [200.203.204.65].53 (ppp0)
> Jul 16 17:28:16 mail named[21699]: Forwarding source address is [0.0.0.0].105
> 4
> Jul 16 17:28:16 mail named[21700]: Ready to answer queries.
> 
> 
> If I comment out the acl statement (// in front of that line), I get:
> 
> Jul 16 17:29:57 mail named[21700]: named shutting down
> Jul 16 17:29:57 mail named[21700]: USAGE 963779397 963779296 CPU=0u/0s CHILDC
> PU=0u/0s
> Jul 16 17:29:57 mail named[21700]: NSTATS 963779397 963779296 A=1 PTR=1
> Jul 16 17:29:57 mail named[21700]: XSTATS 963779397 963779296 RR=1 RNXD=0 RFw
> dR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=1 SAns=2 SF
> wdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=
> 0 SNaAns=0 SNXD=0
> Jul 16 17:29:57 mail named[21710]: starting.  named 8.2.2-P5 Wed Feb 16 05:32
> :07 BRDT 2000 ^Iroot at mapinguari.conectiva.com.br:/usr/src/rpm/BUILD/bind-8.2.
> 2P5/src/bin/named
> Jul 16 17:29:57 mail named[21710]: hint zone "" (IN) loaded (serial 0)
> Jul 16 17:29:57 mail named[21710]: Zone "intra.schalter.com.br" (file intra.s
> chalter.com.br.hosts): No default TTL set using SOA minimum instead
> Jul 16 17:29:57 mail named[21710]: intra.schalter.com.br.hosts: WARNING SOA e
> xpire value is less than 7 days (432000)
> Jul 16 17:29:57 mail named[21710]: intra.schalter.com.br.hosts:8: data "intra
> .embrasul.com.br" outside zone "intra.schalter.com.br" (ignored)
> Jul 16 17:29:57 mail named[21710]: master zone "intra.schalter.com.br" (IN) l
> oaded (serial 963175004)
> Jul 16 17:29:57 mail named[21710]: Zone "1.168.192.in-addr.arpa" (file 192.16
> 8.1.rev): No default TTL set using SOA minimum instead
> Jul 16 17:29:57 mail named[21710]: 192.168.1.rev: WARNING SOA expire value is
>  less than 7 days (432000)
> Jul 16 17:29:57 mail named[21710]: master zone "1.168.192.in-addr.arpa" (IN) 
> loaded (serial 963175021)
> Jul 16 17:29:57 mail named[21710]: Zone "0.0.127.in-addr.arpa" (file 127.0.0.
> rev): No default TTL set using SOA minimum instead
> Jul 16 17:29:57 mail named[21710]: 127.0.0.rev: WARNING SOA expire value is l
> ess than 7 days (432000)
> Jul 16 17:29:57 mail named[21710]: master zone "0.0.127.in-addr.arpa" (IN) lo
> aded (serial 963175854)
> Jul 16 17:29:57 mail named[21710]: listening on [127.0.0.1].53 (lo)
> Jul 16 17:29:57 mail named[21710]: listening on [192.168.1.2].53 (eth0)
> Jul 16 17:29:57 mail named[21710]: Forwarding source address is [0.0.0.0].105
> 5
> Jul 16 17:29:57 mail named[21711]: Ready to answer queries.
> 
> 
> Sorry for the long email.
> 
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com