circular ACLs, named and named-checkconf inconsistency
Jim Reid
jim at rfc1035.com
Thu Mar 3 14:43:51 UTC 2005
>>>>> "Stefan" == Stefan Puiu <stefanpuiu at itcnetworks.ro> writes:
Stefan> acl "ddns1" { { ddns2; } ; };
Stefan> acl "ddns2" { {10.x.x.x;ddns1; } ; };
Stefan> Then further down:
Stefan> options { ... allow-query { ddns1; }; };
Stefan> named-checkconf doesn't report any problems, while BIND
Stefan> crashes with it (tested on Windows 2000 with BIND
Stefan> 9.3.1rc1; didn't test this on UNIX).
Stefan> Of course this is a brain damaged example that nobody
Stefan> would use in their configuration file. However, if you're
Stefan> not careful enough you can easily screw this up by
Stefan> defining a cycle in the ACL graph (something less obvious
Stefan> than the above). It would be nice if named-checkconf would
Stefan> also check for cycles in nested ACLs. Should I make a
Stefan> feature request and post it on bind9-bugs? What's the
Stefan> procedure?
If you find something that causes named to crash -- especially
syntactically correct zone or config files --, that is very definitely
a bug which needs to be fixed. If the bug is in a current or beta or
release candidate, file a bug report to bind-bugs at isc.org. If it's in
an old version of BIND, check that the bug isn't in the current
release. If it's been fixed, upgrade. If not, file a bug report and
you should probably upgrade too.
ISTR that options for additional semantic checks in named-checkconf
are in the roadmap for future BIND9 releases. Maybe they could catch
this kind of error condition? And perhaps others like references to
non-existent or mutually exclusive ACLs. However it should always be
remembered that named-checkconf is primarily a *syntax* checking tool.
More information about the bind-users
mailing list