Problem with ACL in named.conf

Wed, 29 Aug 2012 18:26:13 -0700 

I tried to use the acl statement in my named.conf file, but I have a
hard time making it work. In my named.conf file, I've put these acl
statements in these formats (made up IP addresses mind you):-

----------
// Individual ACL list

acl addr1 {
        11.22.33.44;
        12.23.34.45;
};

acl addr2 {
        22.33.44.55;
        5.4.3.2;
        99.0.0.0;
};

acl addr3 {
        111.3.4.5;
        2001:3000::1;
        122.3.4.5;
        2001:3000::2;
};


// Nested ACLs list

acl alladdr {
        addr1;
        addr2;
        addr3;
};

------------

Then when I put the 'alladdr' thing in my 'allow-transfer' and
'also-notify' arguments, as shown below, BIND will fail to start:-

-----------

zone "example.net" {
        type master;
        file "examplenet.conf";
        allow-transfer { "alladdr"; };
        also-notify { "alladdr"; };
                key-directory "keys/examplenet/";
                inline-signing yes;
                auto-dnssec maintain;
};

-------

Here is the log:-

------
----------------------------------------------------
BIND 9 is maintained by Internet Systems Consortium,
Inc. (ISC), a non-profit 501(c)(3) public-benefit
corporation.  Support and training for BIND 9 are
available at https://www.isc.org/support
----------------------------------------------------
adjusted limit on open files from 1024 to 1048576
found 1 CPU, using 1 worker thread
using 1 UDP listener per interface
using up to 4096 sockets
loading configuration from '/etc/named.conf'
reading built-in trusted keys from file '/etc/named.iscdlv.key'
using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface venet0:0, <redacted>#53
listening on IPv6 interface lo, ::1#53
listening on IPv6 interface venet0, <redacted>#53
generating session key for dynamic DNS
sizing zone task pool based on 10 zones
/etc/named.conf:111: masters "alladdr" not found
loading configuration: not found
exiting (due to fatal error)
-----

>From examples I read from the Internet, I don;t think I have done
anything wrong. If I put all the IP addresses from addr1, addr2 and
addr3 into the allow-transfer and also-notify statements, BIND will
start normally without problems.

Thanks for reading.
--
Bryan S.G.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to