acl's and some suggestions for ISC

/dev/rob0 rob0 at gmx.co.uk
Thu Jan 22 08:11:57 UTC 2004 

I'm setting up BIND at a customer site, freeing them (me) from the
dreaded djbdns. Ahhh, nice. I set up a master (on an internal server)
and a slave (on the gateway/router.) I thought I'd try using some acl
statements to ease the transition.

The new master BIND server is still running djbdns: tinydns on localhost
and dnscache on its Ethernet interface. So I made an eth0:dns alias on
another IP and used that as the "listen-on" address. 

I was hoping to use an acl on the slave server, rather than put the IP
in the masters option for each of several zone statements. That way I'd
only have one place to edit when I change over with BIND on the main IP.
It seems that "masters" can't use an acl. (Yes, the acl statement came
before the zone statement.)

Why not? The BIND 9 Configuration Reference implied that acl's could be
used anywhere one might need a list of IP's or netblocks. There really
wasn't much said about "masters" syntax, but I see on closer examination
now that some options say "address_match_list", but masters does not.
Why can't "masters" use an address_match_list?

The next issue came up also on the slave. We're not going to run this on
the external interfaces yet. This is a complex router with 2 external
interfaces, plus numerous dynamic interfaces (VPN connections), and 3
internal Ethernet interfaces.

I want named running on all but the 2 external interfaces, so I tried
this as my acl:
#v+
acl internals {
    ! 1.2.3.4; ! 5.6.7.8;
};
#v-
... and later had "listen-on { internals; };" under options.

This of course didn't work. "named listening on no interfaces", or some
such message, was logged. Here's what DID work:
#v+
acl internals {
    any; ! 1.2.3.4; ! 5.6.7.8;
};
#v-

So my suggestion: I think this would have been much easier to understand
with more examples. The concepts are explained, but often not
illustrated as well as they might be.
-- 
  /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
  or put "not-spam" or "/dev/rob0" in Subject header to reply

More information about the bind-users mailing list