Problem with ACL in named.conf

Mark Andrews marka at isc.org
Thu Aug 30 02:02:42 UTC 2012


In message <CAOJ-cLgi-Z1DyEnKq1PbK4+jzGG3ew8ZHfv10B751sEbb9V-=Q at mail.gmail.com>
, GS Bryan writes:
> I tried to use the acl statement in my named.conf file, but I have a
> hard time making it work. In my named.conf file, I've put these acl
> statements in these formats (made up IP addresses mind you):-
> 
> ----------
> // Individual ACL list
> 
> acl addr1 {
> 	11.22.33.44;
> 	12.23.34.45;
> };
> 
> acl addr2 {
> 	22.33.44.55;
> 	5.4.3.2;
> 	99.0.0.0;
> };
> 
> acl addr3 {
> 	111.3.4.5;
> 	2001:3000::1;
> 	122.3.4.5;
> 	2001:3000::2;
> };
> 
> 
> // Nested ACLs list
> 
> acl alladdr {
> 	addr1;
> 	addr2;
> 	addr3;
> };
> 
> ------------
> 
> Then when I put the 'alladdr' thing in my 'allow-transfer' and
> 'also-notify' arguments, as shown below, BIND will fail to start:-

also-notify does not take a ACL (it is not a access control).
It will take a named "masters" list.

> -----------
> 
> zone "example.net" {
>         type master;
>         file "examplenet.conf";
>         allow-transfer { "alladdr"; };
>         also-notify { "alladdr"; };
> 		key-directory "keys/examplenet/";
> 		inline-signing yes;
> 		auto-dnssec maintain;
> };
> 
> -------
> 
> Here is the log:-
> 
> ------
> ----------------------------------------------------
> BIND 9 is maintained by Internet Systems Consortium,
> Inc. (ISC), a non-profit 501(c)(3) public-benefit
> corporation.  Support and training for BIND 9 are
> available at https://www.isc.org/support
> ----------------------------------------------------
> adjusted limit on open files from 1024 to 1048576
> found 1 CPU, using 1 worker thread
> using 1 UDP listener per interface
> using up to 4096 sockets
> loading configuration from '/etc/named.conf'
> reading built-in trusted keys from file '/etc/named.iscdlv.key'
> using default UDP/IPv4 port range: [1024, 65535]
> using default UDP/IPv6 port range: [1024, 65535]
> listening on IPv4 interface lo, 127.0.0.1#53
> listening on IPv4 interface venet0:0, <redacted>#53
> listening on IPv6 interface lo, ::1#53
> listening on IPv6 interface venet0, <redacted>#53
> generating session key for dynamic DNS
> sizing zone task pool based on 10 zones
> /etc/named.conf:111: masters "alladdr" not found
> loading configuration: not found
> exiting (due to fatal error)
> -----
> 
> >From examples I read from the Internet, I don;t think I have done
> anything wrong. If I put all the IP addresses from addr1, addr2 and
> addr3 into the allow-transfer and also-notify statements, BIND will
> start normally without problems.

A plain address in a acl is shorthand for address/32 or address/128
depending apon the address type.  While they are visually similar
the two list are functionally very different.

The acl addr3 you have above is short hand for:

	acl addr3 {
		111.3.4.5/32;
		2001:3000::1/128;
		122.3.4.5/32;
		2001:3000::2/128;
	};

You could define master lists as use those.

e.g.
	master addr3 {
		111.3.4.5;
		2001:3000::1;
		122.3.4.5;
		2001:3000::2;
	};

you can even tell named to use specify keys and ports when talking
to the server.

	master addr3 {
		111.3.4.5 port 333 key xxxx;
		2001:3000::1;
		122.3.4.5;
		2001:3000::2;
	};
Mark


> Thanks for reading.
> --
> Bryan S.G.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list