BIND 10 jreed-docs-2, updated. 688d0a641d4fa7a018fb4f9e131ed1454c68dd15 [jreed-docs-2] add start of access control section and some comments todo
BIND 10 source code commits
bind10-changes at lists.isc.org
Thu Jun 30 02:45:45 UTC 2011
The branch, jreed-docs-2 has been updated
via 688d0a641d4fa7a018fb4f9e131ed1454c68dd15 (commit)
via c136060da6a43da5db7e45b6a32da83f0f7d0820 (commit)
from f5cc3a37a155b140b4187a98028c1b8a5f79f9b9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 688d0a641d4fa7a018fb4f9e131ed1454c68dd15
Author: Jeremy C. Reed <jreed at ISC.org>
Date: Wed Jun 29 21:45:12 2011 -0500
[jreed-docs-2] add start of access control section and some comments todo
wrote about access control for resolver
added many comments for things to document.
commit c136060da6a43da5db7e45b6a32da83f0f7d0820
Author: Jeremy C. Reed <jreed at ISC.org>
Date: Wed Jun 29 21:43:57 2011 -0500
[jreed-docs-2] remove some spaces at ends of lines in guide
-----------------------------------------------------------------------
Summary of changes:
doc/guide/bind10-guide.xml | 132 ++++++++++++++++++++++++++++++++++++--------
1 files changed, 108 insertions(+), 24 deletions(-)
-----------------------------------------------------------------------
diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml
index 7d1a006..c894f9c 100644
--- a/doc/guide/bind10-guide.xml
+++ b/doc/guide/bind10-guide.xml
@@ -129,7 +129,7 @@
The processes started by the <command>bind10</command>
command have names starting with "b10-", including:
</para>
-
+
<para>
<itemizedlist>
@@ -224,7 +224,7 @@
<section id="managing_once_running">
<title>Managing BIND 10</title>
-
+
<para>
Once BIND 10 is running, a few commands are used to interact
directly with the system:
@@ -263,7 +263,7 @@
<!-- TODO point to these -->
In addition, manual pages are also provided in the default installation.
</para>
-
+
<!--
bin/
bindctl*
@@ -370,7 +370,7 @@ Debian and Ubuntu:
</para>
<orderedlist>
-
+
<listitem>
<simpara>
Install required build dependencies.
@@ -454,7 +454,7 @@ Debian and Ubuntu:
Downloading a release tar file is the recommended method to
obtain the source code.
</para>
-
+
<para>
The BIND 10 releases are available as tar file downloads from
<ulink url="ftp://ftp.isc.org/isc/bind10/"/>.
@@ -533,34 +533,34 @@ Debian and Ubuntu:
<simpara>Define the the installation location (the
default is <filename>/usr/local/</filename>).
</simpara>
- </listitem>
+ </listitem>
</varlistentry>
<varlistentry>
<term>--with-boost-include</term>
- <listitem>
+ <listitem>
<simpara>Define the path to find the Boost headers.
</simpara>
- </listitem>
+ </listitem>
</varlistentry>
<varlistentry>
<term>--with-pythonpath</term>
- <listitem>
+ <listitem>
<simpara>Define the path to Python 3.1 if it is not in the
standard execution path.
</simpara>
- </listitem>
+ </listitem>
</varlistentry>
<varlistentry>
<term>--with-gtest</term>
- <listitem>
+ <listitem>
<simpara>Enable building the C++ Unit Tests using the
Google Tests framework. Optionally this can define the
path to the gtest header files and library.
</simpara>
- </listitem>
+ </listitem>
</varlistentry>
</variablelist>
@@ -679,13 +679,13 @@ Debian and Ubuntu:
</para>
</section>
-->
-
+
</chapter>
<chapter id="bind10">
<title>Starting BIND10 with <command>bind10</command></title>
<para>
- BIND 10 provides the <command>bind10</command> command which
+ BIND 10 provides the <command>bind10</command> command which
starts up the required processes.
<command>bind10</command>
will also restart processes that exit unexpectedly.
@@ -694,7 +694,7 @@ Debian and Ubuntu:
<para>
After starting the <command>b10-msgq</command> communications channel,
- <command>bind10</command> connects to it,
+ <command>bind10</command> connects to it,
runs the configuration manager, and reads its own configuration.
Then it starts the other modules.
</para>
@@ -752,7 +752,7 @@ Debian and Ubuntu:
<command>b10-msgq</command> service.
It listens on 127.0.0.1.
</para>
-
+
<!-- TODO: this is broken, see Trac #111
<para>
To select an alternate port for the <command>b10-msgq</command> to
@@ -1078,10 +1078,10 @@ since we used bind10 -->
The configuration data item is:
<variablelist>
-
+
<varlistentry>
<term>database_file</term>
- <listitem>
+ <listitem>
<simpara>This is an optional string to define the path to find
the SQLite3 database file.
<!-- TODO: -->
@@ -1103,7 +1103,7 @@ This may be a temporary setting until then.
<varlistentry>
<term>shutdown</term>
- <listitem>
+ <listitem>
<simpara>Stop the authoritative DNS server.
</simpara>
<!-- TODO: what happens when this is sent, will bind10 restart? -->
@@ -1159,7 +1159,7 @@ This may be a temporary setting until then.
<varlistentry>
<term>$INCLUDE</term>
- <listitem>
+ <listitem>
<simpara>Loads an additional zone file. This may be recursive.
</simpara>
</listitem>
@@ -1167,7 +1167,7 @@ This may be a temporary setting until then.
<varlistentry>
<term>$ORIGIN</term>
- <listitem>
+ <listitem>
<simpara>Defines the relative domain name.
</simpara>
</listitem>
@@ -1175,7 +1175,7 @@ This may be a temporary setting until then.
<varlistentry>
<term>$TTL</term>
- <listitem>
+ <listitem>
<simpara>Defines the time-to-live value used for following
records that don't include a TTL.
</simpara>
@@ -1240,7 +1240,7 @@ TODO
<note><simpara>
The current development release of BIND 10 only supports
- AXFR. (IXFR is not supported.)
+ AXFR. (IXFR is not supported.)
<!-- TODO: sqlite3 data source only? -->
@@ -1287,7 +1287,7 @@ what if a NOTIFY is sent?
<note><simpara>
The current development release of BIND 10 only supports
- AXFR. (IXFR is not supported.)
+ AXFR. (IXFR is not supported.)
Access control is not yet provided.
</simpara></note>
@@ -1375,6 +1375,67 @@ what is XfroutClient xfr_client??
<!-- TODO: later the above will have some defaults -->
<section>
+ <title>Access Control</title>
+
+ <para>
+ The <command>b10-resolver</command> daemon only accepts
+ DNS queries from the localhost (127.0.0.1 and ::1).
+ The <option>Resolver/query_acl</option> configuration may
+ be used to reject, drop, or allow specific IPs or networks.
+ This configuration list is first match.
+ </para>
+
+ <para>
+ The configuration's <option>action</option> item may be
+ set to <quote>ACCEPT</quote> to allow the incoming query,
+ <quote>REJECT</quote> to respond with a DNS REFUSED return
+ code, or <quote>DROP</quote> to ignore the query without
+ any response (such as a blackhole). For more information,
+ see the respective debugging messages: <ulink
+ url="bind10-messages.html#RESOLVER_QUERY_ACCEPTED">RESOLVER_QUERY_ACCEPTED</ulink>,
+ <ulink
+ url="bind10-messages.html#RESOLVER_QUERY_REJECTED">RESOLVER_QUERY_REJECTED</ulink>,
+ and <ulink
+url="bind10-messages.html#RESOLVER_QUERY_DROPPED">RESOLVER_QUERY_DROPPED</ulink>.
+ </para>
+
+ <para>
+ The required configuration's <option>from</option> item is set
+ to an IPv4 or IPv6 address, addresses with an network mask, or to
+ the special lowercase keywords <quote>any6</quote> (for
+ any IPv6 address) or <quote>any4</quote> (for any IPv4
+ address).
+ </para>
+
+<!-- TODO:
+/0 is for any address in that address family
+does that need any address too?
+-->
+
+ <para>
+ For example to allow the <replaceable>192.168.1.0/24</replaceable>
+ network to use your recursive name server, at the
+ <command>bindctl</command> prompt run:
+ </para>
+
+ <screen>
+> <userinput>config add Resolver/query_acl</userinput>
+> <userinput>config set Resolver/query_acl[<replaceable>2</replaceable>]/action "ACCEPT"</userinput>
+> <userinput>config set Resolver/query_acl[<replaceable>2</replaceable>]/from "<replaceable>192.168.1.0/24</replaceable>"</userinput>
+> <userinput>config commit</userinput>
+</screen>
+
+ <simpara>(Replace the <quote><replaceable>2</replaceable></quote>
+ as needed; run <quote><userinput>config show
+ Resolver/query_acl</userinput></quote> if needed.)</simpara>
+
+<!-- TODO: check this -->
+ <note><simpara>This prototype access control configuration
+ syntax may be changed.</simpara></note>
+
+ </section>
+
+ <section>
<title>Forwarding</title>
<para>
@@ -1533,6 +1594,29 @@ then change those defaults with config set Resolver/forward_addresses[0]/address
</varlistentry>
</variablelist>
+<!--
+what's the default log output? stdout? stderr?
+
+(15:07:03) jelte: > ./src/bin/bindctl/run_bindctl.sh
+["login success "] login as root
+> config show Logging/loggers
+Logging/loggers [] list
+> config add Logging/loggers
+> config set Logging/loggers[0]/name
+> config set Logging/loggers[0]/severity DEBUG
+> config set Logging/loggers[0]/debuglevel 99
+> config add Logging/loggers[0]/output_options
+> config commit
+
+(16:38:26) jinmei: Error: destination set to syslog but output not set to any facility for logger *
+
+(16:50:35) jinmei: log4cplus:WARN RollingFileAppender: MaxFileSize property value is too small. Resetting to 204800.
+
+see src/lib/log/README
+and spec file
+and code of course!
+-->
+
</para>
</chapter>
More information about the bind10-changes
mailing list