also-notify with ACL in zone scope not working in BIND 9.4.1-P1

Mark Andrews Mark_Andrews at isc.org
Tue Aug 21 07:17:17 UTC 2007


> I'm having difficulty with getting ACLs working with also-notify in the zone
> scope. A straight IP works, ACL doesn't.

	also-notify does not take a ACCESS CONTROL LIST.

> I have couple of ACLs defined for internal and external views. Below are the
> simplified copy of the external view, and the ACL in question (to narrow
> down the problem issue).
> 
> The following configuration fails named-checkconf with the error
> /etc/namedb/named.conf:132: expected IP address near '"'
> (Line 132 is the line with also-notify on it.)
> 
---
> acl "third" { 69.13.35.100; };

	Which is shorthand for 'acl "third" { 69.13.35.100/32; };'.

	Which means if you *compare* the first 32 bits of an IPv4
	address you will get a match if they equal 69.13.35.100.

> view "external" {
> 
>         match-clients { any; };
>         recursion no;
> 
>         zone "afis.info" in {
>                 type master;
>                 file "master/afis.info";
>                 notify yes;
>                 also-notify     {"third";};
>                 allow-transfer  {"third";};
>         };
> 
>         zone "." {
>                 type hint;
>                 file "named.root";
>         };
> };
> ---
> 
> However, the following configuration works fine (the only difference is IP
> instead of an ACL reference in also-notify):
> 
> ---
> acl "third" { 69.13.35.100; };
> 
> view "external" {
> 
>         match-clients { any; };
>         recursion no;
> 
>         zone "afis.info" in {
>                 type master;
>                 file "master/afis.info";
>                 notify yes;
>                 also-notify     {69.13.35.100;};
>                 allow-transfer  {"third";};
>         };
> 
>         zone "." {
>                 type hint;
>                 file "named.root";
>         };
> };
> ---
> 
> I've tried with and without quotes in the ACL reference, no difference.
> 
> Apress's "Pro DNS and BIND" has the following example on page 342:

	Well the example is wrong then.
 
> ---
> acl "someips" {
> 10.0.0.1; 192.168.23.1; 192.168.23.15;
> };
> acl "moreips" {
> 10.0.0.2;
> 192.168.23.128/25; // 128 IPs
> };
> acl "allips" {
> "someips";
> "moreips";
> };
> view "my stuff" {
> match-clients {"someips";};
> ....
> };
> zone "example.com" in{
> type master;
> file "master.example.com";
> also-notify {"allips";};
> };
> ---
> 
> What am I doing differently, if anything? 
> 
> I'm running BIND 9.4.1-P1 on FreeBSD 6.2.
> 
> Thanks for any insights!  If this has been discussed previously, please
> point me to the right direction; I couldn't find anything about this in the
> archive.
> 
> Ville
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list