BIND 10 trac2066, updated. aa78dee2dc53f87be18838e1c383778f4b6e9308 [2066] revised resolver ACL text per my own suggestion
BIND 10 source code commits
bind10-changes at lists.isc.org
Tue Aug 14 19:36:10 UTC 2012
The branch, trac2066 has been updated
via aa78dee2dc53f87be18838e1c383778f4b6e9308 (commit)
via a5c9a0e9e86ef3ff1ce2ae8fc63640e7a94c63fa (commit)
via c22e36e2ffb2a1e4586d0838c81aa44efb3bdd3e (commit)
via 112b9731c47d04769ed1de4eaed90752da8f285a (commit)
from 33ea36e96957ee97641a4f5fb281e974c79dba45 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit aa78dee2dc53f87be18838e1c383778f4b6e9308
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Aug 14 12:34:37 2012 -0700
[2066] revised resolver ACL text per my own suggestion
commit a5c9a0e9e86ef3ff1ce2ae8fc63640e7a94c63fa
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Aug 14 12:31:06 2012 -0700
[2066] revised text about xfrout acl config per my own suggestion
commit c22e36e2ffb2a1e4586d0838c81aa44efb3bdd3e
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Aug 14 12:27:46 2012 -0700
[2066] added a note that list form of ACL match value doesn't work.
referring to #2066.
commit 112b9731c47d04769ed1de4eaed90752da8f285a
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Aug 14 12:27:33 2012 -0700
[2066] corrected small errors in the previous fix
-----------------------------------------------------------------------
Summary of changes:
doc/guide/bind10-guide.xml | 42 ++++++++++++++++++++++++++++--------------
1 file changed, 28 insertions(+), 14 deletions(-)
-----------------------------------------------------------------------
diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml
index 0fe0ceb..f585855 100644
--- a/doc/guide/bind10-guide.xml
+++ b/doc/guide/bind10-guide.xml
@@ -1353,9 +1353,9 @@ RULE := { "action": "ACCEPT"|"REJECT"|"DROP", MATCH, MATCH, ... }
RULE_RAW := { MATCH, MATCH, ... }
MATCH := FROM_MATCH|KEY_MATCH|NOT_MATCH|OR_MATCH|AND_MATCH|...
FROM_MATCH := "from": [RANGE, RANGE, RANGE, ...] | RANGE
-RANGE := "<ip range>";
+RANGE := "<ip range>"
KEY_MATCH := "key": [KEY, KEY, KEY, ...] | KEY
-KEY := "<key name>";
+KEY := "<key name>"
NOT_MATCH := "NOT": RULE_RAW
OR_MATCH := "ANY": [ RULE_RAW, RULE_RAW, ... ]
AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
@@ -1403,6 +1403,18 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
will work in a similar way.
</para>
+ <note>
+ <simpara>
+ The list form is currently rejected due to an
+ implementation bug. There is a plan to fix it relatively
+ soon, so the syntax is kept here, but note that it won't
+ work until the bug is fixed. To keep track of the status
+ of the issue, see
+ <ulink url="http://bind10.isc.org/ticket/2191">Trac #2191</ulink>.
+ Until then, the value must be a single string.
+ </simpara>
+ </note>
+
<para>
If that is not enough, you can compose the matching conditions
to logical expressions. They are called "ANY", "ALL" and "NOT".
@@ -2104,11 +2116,6 @@ http://bind10.isc.org/wiki/ScalableZoneLoadDesign#a7.2UpdatingaZone
Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
<para>
- You can configure it in the same way as any ACL
- (<xref linkend="common-acl" />).
- </para>
-
- <para>
If you want to require TSIG in access control, a system wide TSIG
"key ring" must be configured.
In this example, we allow client matching both the IP address
@@ -2123,6 +2130,11 @@ Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
will use the system wide keyring to check
TSIGs in the incoming messages and to sign responses.</para>
+ <para>
+ For further details on ACL configuration, see
+ <xref linkend="common-acl" />.
+ </para>
+
<note><simpara>
The way to specify zone specific configuration (ACLs, etc) is
likely to be changed.
@@ -2487,24 +2499,26 @@ what is XfroutClient xfr_client??
</para>
<para>
- To allow queries on the "192.168.1.1" interface, these commands could be
- issued. Note that we don't set the value of the third rule -- in the case
- of resolver, rejecting all queries is the default value of new rule. And
- that last final rule is not needed too, as the default, when a query falls
- off the list, is rejection.
+ The following session is an example of extending the ACL to also
+ allow queries from 192.0.2.0/24:
<screen>
> <userinput>config show Resolver/query_acl</userinput>
Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (default)
Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (default)
> <userinput>config add Resolver/query_acl</userinput>
-> <userinput>config set Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"}</userinput>
+> <userinput>config set Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.0.2.0/24"}</userinput>
> <userinput>config add Resolver/query_acl</userinput>
> <userinput>config show Resolver/query_acl</userinput>
Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (modified)
Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (modified)
-Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"} any (modified)
+Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.0.2.0/24"} any (modified)
Resolver/query_acl[3] {"action": "REJECT"} any (modified)
> <userinput>config commit</userinput></screen>
+ Note that we didn't set the value of the last final rule
+ (query_acl[3]) -- in the case of resolver, rejecting all queries is
+ the default value of a new rule. In fact, this rule can even be
+ omitted completely, as the default, when a query falls off the list,
+ is rejection.
</para>
</section>
More information about the bind10-changes
mailing list