circular ACLs, named and named-checkconf inconsistency

Thu Mar 3 14:43:51 UTC 2005

>>>>> "Stefan" == Stefan Puiu <stefanpuiu at itcnetworks.ro> writes:

    Stefan> acl "ddns1" { { ddns2; } ; }; 
    Stefan> acl "ddns2" { {10.x.x.x;ddns1; } ; };

    Stefan> Then further down:

    Stefan> options { ...  allow-query { ddns1; }; };

    Stefan> named-checkconf doesn't report any problems, while BIND
    Stefan> crashes with it (tested on Windows 2000 with BIND
    Stefan> 9.3.1rc1; didn't test this on UNIX).

    Stefan> Of course this is a brain damaged example that nobody
    Stefan> would use in their configuration file. However, if you're
    Stefan> not careful enough you can easily screw this up by
    Stefan> defining a cycle in the ACL graph (something less obvious
    Stefan> than the above). It would be nice if named-checkconf would
    Stefan> also check for cycles in nested ACLs. Should I make a
    Stefan> feature request and post it on bind9-bugs? What's the
    Stefan> procedure?

If you find something that causes named to crash -- especially
syntactically correct zone or config files --, that is very definitely
a bug which needs to be fixed. If the bug is in a current or beta or
release candidate, file a bug report to bind-bugs at isc.org. If it's in
an old version of BIND, check that the bug isn't in the current
release. If it's been fixed, upgrade. If not, file a bug report and
you should probably upgrade too.

ISTR that options for additional semantic checks in named-checkconf
are in the roadmap for future BIND9 releases. Maybe they could catch
this kind of error condition? And perhaps others like references to
non-existent or mutually exclusive ACLs. However it should always be
remembered that named-checkconf is primarily a *syntax* checking tool.