Question about allow-query in the /etc/named.conf

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Tue Jul 6 07:03:40 UTC 2004 

John Ho <magiciq at noordbrabant.net> wrote:
> Hi all,

> My platform is HP-UX 11i + BIND 9.2.0
> I have two acl's under allow-query in the /etc/named.conf.

> for example:

> -----------------------------------------------------------------------=
-

> acl internal { 10.10.10.0/24; 192.168.16.0/24 }
> acl roaming  { 193.10.10.0/24;  141.10.10.0/24; 156.10.10.0/24;=20
> 123.10.10.0/24; 134.10.10.0/24; 122.10.10.0/24; + more than 100 of them=
}

> options {
>     directory "/var/named";
>     allow-query { internal; roaming; };

> -----------------------------------------------------------------------=
-
> }

> How can I put all those IP-address ranges in acl roaming in a seperate =
file=20
> (easier to maintaince)?? I just want to have a text file which include =
all=20
> those IP-address ranges.=20
> like:
> # more /etc/roaming_list.conf
> 193.10.10.0/24;
> 141.10.10.0/24;
> 156.10.10.0/24;
> blablabla
> blabla
> bla

> If I say --> acl roaming  { /etc/roaming_list.conf }, should it works??

You will need an external pre-processor for this ( which i suggested for =
your
include question also).

But, using acl's with > 100 entries seems to be a dead end. Scalability a=
nd maintainability
will suffer and strange problems might creep up ( due to problems maintan=
ing an=20
ever-changing large acl).  Have you exhausted all other methods of solvin=
g <whatever
you try to solve by acl>

Maybe expressing the original problem would give new clues of other solut=
ion spaces.

> Thanks in advance,

> I am looking forward to hear you soon.
> Regards,

> John

> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3Deinde bericht=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Dit bericht is verstuurd via http://www.twigger.nl. Overal=20
> ter wereld je bestaande mailadres bereikbaar.

> Stuur goedkoop SMS via http://www.twiggersms.nl



--=20
Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list