can't get acl to work!

Jim Reid jim at rfc1035.com
Sun Jul 16 20:07:03 UTC 2000


>>>>> "Andreas" == Andreas Hasenack <andreas at netbank.com.br> writes:

    Andreas> this is driving me nuts...  
    Andreas> With bind-8.2.2P5 the following doesn't work:

    Andreas> options {
    Andreas> (...)
    Andreas> notify no;
    Andreas> acl can_query { !1.2.3/24; any; };
    Andreas> allow-query { 127.0.0.1; 192.168.1.0/24; };
    Andreas> (...)
    Andreas> listen-on { 127.0.0.1; 192.168.1.2; };
    Andreas> (...)
    Andreas> };

Well first of all you should have shown *everything* that was in the
options{} statement, *exactly* as it was printed there. Luckily for
you it doesn't look there were any errors in the stuff you decided to
hide from us, but who knows for sure? Amongst other things, showing
the actual file allows someone to cross-check it with the line numbers
that are in the log entry reporting the syntax error.

    Andreas> If I then restart the server, I get:

    Andreas> Jul 16 16:23:18 mail named[21656]: /etc/named.conf:5: syntax error near acl
    Andreas> Jul 16 16:23:18 mail named[21656]: /etc/named.conf:6: syntax error near allow-query (...)

    Andreas> So, the "acl" directive wasn't understood and, even
    Andreas> worse, the listen-on part wasn't used (probably because

Since your options{} statement was broken, all bets are off. It's
quite possible that your syntax error upset the parser so much, it had
to ignore the rest of your options{} statement. I'd guess that when
that happens, the name server logs the syntax errors as best it can
and then reverts to a default set of options. Or if named.conf is very
badly broken, it just gives up altogether. I don't know for sure and
can't be bothered reading the source code to check.

Did you check the html directory in the doc tarball? This has a
complete description of the syntax of named.conf. Access control lists
are defined by acl{} statements. These are statements in their own
right if you assign names to the ACL. You don't put acl statements
inside other statements. The names of those acls can of course be used
as part of an allow-query (etc) clause inside a zone{} or options{}
statement.



More information about the bind-users mailing list