Elmar K. Bins wrote:
> Randy,
>
> ra...@psg.com (Randy Bush) wrote:
>
> > can i use an acl{} or other macro in `also-notify`? i have a bunch of
> > zones where i want the same `also-notify` list.
>
> Been running into the same issue and tried to find out. My master lis
Randy,
ra...@psg.com (Randy Bush) wrote:
> can i use an acl{} or other macro in `also-notify`? i have a bunch of
> zones where i want the same `also-notify` list.
Been running into the same issue and tried to find out. My master lists and acls
are identical as yours seem to be. I'v
have spent a bit searching but no result. so ...
can i use an acl{} or other macro in `also-notify`? i have a bunch of
zones where i want the same `also-notify` list.
thanks
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
On 11/10/2021 6:25 AM, Giddings, Bret wrote:
Is there any other facility for including effectively the same grant
statements within multiple zones?
I am not aware of any
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Departm
Hello,
I want to use the same update-policy grant statements multiple times in
different zones and would therefore prefer to use something like an ACL.
It doesn’t appear to be the case that you can create something like
acl “FOO” {
grant EXAMPLE.COM krb5-self . A ;
grant * tcp-self . PTR(1
een removed.
>>
>> The ECS option is still supported in dig and mdig
>> via the +subnet option, and can be parsed and logged
>> when received by named, but it is no longer used
>>
esent) the ECS to you, that
works great, but the plumbing into the acl is what is needed to serve up
a separate view by source client.
Being realistic, this is not a large deployment, if it's an edge case
then it is surely not worth anyone's time to add support back in.
Thank yo
On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote:
> Thank you, in my searching I failed to come across that.
>
> Do you know if it's been replaced by something more "practical to
> deploy"? I found some discussion regarding support for "The PROXY
> Protocol" (https://www.haproxy.org/
and not practical to deploy) has been removed.
The ECS option is still supported in dig and mdig
via the +subnet option, and can be parsed and logged
when received by named, but it is no longer used
The ECS option is still supported in dig and mdig
via the +subnet option, and can be parsed and logged
when received by named, but it is no longer used
for ACL processing. The "geoip-use-ecs" option
.
-Ryan
On 9/2/21 10:06 AM, Ryan McGuire wrote:
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a
view. The views are working well, and the ECS is read by bind9 (see
log below), but I can't seem to find a syntax for adding an ecs entry
into an acl. Here is what
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a
view. The views are working well, and the ECS is read by bind9 (see log
below), but I can't seem to find a syntax for adding an ecs entry into
an acl. Here is what I've tried:
acl "filtered" {
192
On Sun, Apr 25, 2021 at 01:47:31PM +0530, Sachchidanand Upadhyay via bind-users
wrote:
> I am using geoip based ACL to restrict traffic. Now I want to allow all
> country traffic except two or three, like i want to allow all traffic
> except country A, B and C.
>
> Can anyone giv
Hi,
I am using geoip based ACL to restrict traffic. Now I want to allow all country
traffic except two or three, like i want to allow all traffic except country A,
B and C.
Can anyone give an example to achieve the same?
BR,
Sachchidanand
On Thu, Apr 15, 2021 at 03:35:38PM +0800, Zhengyu Pan wrote:
> I want to implement intelligent DNS through bind9. I need to add a custom
> line(IP address ranges) to bind9 using acl and view when add a user.
> Because when add a tenant, i need to define a new acl and view. I don't
&g
>do you mean, the same domains with different content, depending on clients'
>IPs? That's common multiple-view setup
>(nothing special or intelligent).
Yes, I will create a view and acl for every client. Because every client has
the unique IP address.
>Why? Do you
ing IPs?
Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.
So i want to know whether have commands or API to add acl and view like the command "rndc
addacl" or "rndc addview"?
I'm afraid for
The views and ACLS
are added frequently.
So i want to know whether have commands or API to add acl and view like the
command "rndc addacl" or "rndc addview"?
Updating config file frequently may affect other zones in this dns server.
At 2021-04-15 15:08:26, "Matus UHLAR - f
On 15.04.21 15:35, Zhengyu Pan wrote:
I want to implement intelligent DNS through bind9.
I need to add a custom line(IP address ranges) to bind9 using acl and view
when add a user. Because when add a tenant, i need to define a new acl
and view. I don't want to update named.conf config
Hi,
I want to implement intelligent DNS through bind9. I need to add a custom
line(IP address ranges) to bind9 using acl and view when add a user. Because
when add a tenant, i need to define a new acl and view. I don't want to update
named.conf config file frequently.
Does bind9 su
You use the "ecs" key word like this.
acl example { ecs 10.0.0.0/8; };
view ecs-net-10-only {
match-clients { example; };
};
Also using colour or fonts is not a good way to highlight
what
ng
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If
for
different resolver clients.
An ACL containing an element of the form ecs prefix will match if a request
arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS
option,
then "ecs" elements are simply ignored. Addresses in ACLs th
On 8 October 2016 at 09:57, Pol Hallen wrote:
> 192.168.1/24 is not a valid netmask
>>
>
> huh?
> In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24)
> and so on...
You're confusing network configuration with ACL syntax.
Where you're u
And don't forget the copious comments in named.conf, so that your successor can
easily see, at a glance, what start/end addresses those clusters of ACL
elements represent.
sure! :-)
thanks
Pol
___
Please visit https://lists.isc.org/ma
And don't forget the copious comments in named.conf, so that your successor can
easily see, at a glance, what start/end addresses those clusters of ACL
elements represent.
- Kevin
-Original Me
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I
think you want:
acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26;
192.168.1.192/29; }
thanks guys
well? :-)
- Kevin
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol
Hallen
Sent: Monday, October 17, 2016 2:37 PM
To: bind-users@lists.isc.org
Subject: defines ip to acl
Hello all :-)
I need to setup 2 ki
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I
think you want:
acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26;
192.168.1.192/29; }
On 2016-10-17, 13:41, "bind-use
Hello all :-)
I need to setup 2 kind of acl on same network, ie:
ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2
acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };
what's the correct way? I didn't find nothing :
I think what you are looking for is:
acl test0 { !192.168.1.50/32; 192.168.1.0/24; };
http://jodies.de/ipcalc is a good resource for checking. (As was mentioned
by Reindl...)
Learning basic sub-netting of IP addresses (Both IPv4 and IPv6) takes time
but it's necessary for DNS configur
On 8 October 2016 at 14:14, Pol Hallen wrote:
> acl test0 { !192.168.1.50/24; 192.168.1/24;};
acl test0 { !192.168.1.50; 192.168.1.0/24;};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-us
Am 08.10.2016 um 16:57 schrieb Pol Hallen:
192.168.1/24 is not a valid netmask
huh?
In linux and BSD I always use 192.168.1/24 (how shortcut of
192.168.1.0/24) and so on...
hint: using /24 everywhere is nonsense
why?
My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host)
be
192.168.1/24 is not a valid netmask
huh?
In linux and BSD I always use 192.168.1/24 (how shortcut of
192.168.1.0/24) and so on...
hint: using /24 everywhere is nonsense
why?
My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host)
thanks
Pol
___
Am 08.10.2016 um 15:14 schrieb Pol Hallen:
Hi all :-)
can someone advice me about a fully howto / handbook to understand ACL?
I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:
acl test0 { !192.168.1.50/24; 192.168.1/24;};
192.168.1/24 is not a valid netmask
Hi all :-)
can someone advice me about a fully howto / handbook to understand ACL?
I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:
acl test0 { !192.168.1.50/24; 192.168.1/24;};
thanks for help!
Pol
___
Please visit https
On Tue, Apr 26, 2016 at 10:22 AM, Ali Jawad wrote:
> Hi Bob
> I did have a look at
> http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger ,
> and while in theory it can be used in a way similar to ACL I cant see how
> it accommodates for faster changes, w
Hi Bob
I did have a look at
http://www.zytrax.com/books/dns/ch7/rpz.html#policy-client-ip-trigger , and
while in theory it can be used in a way similar to ACL I cant see how it
accommodates for faster changes, would you please elaborate ?
On Tue, Apr 26, 2016 at 4:46 PM, Bob Harold wrote
ate zone,
>
> Rather than the tool writing an ACL for bind, can the tool instead
> reconfigure the user's local workstation dns settings to point to one of
> two different (sets of) bind servers? One serves the public zone, one
> serves the private zone.
>
>
>
You migh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Mon, 2016-04-25 at 23:23 +0300, Ali Jawad wrote:
> based on a user tool the users "hundreds in corporate environment" get
> either public or private zone,
Rather than the tool writing an ACL for bind, can the tool instead
reconf
On 25/04/16 22:23, Ali Jawad wrote:
Hi Ali Jawad,
> I do have a very specific requirement for private/public zones and based on
> a user tool the users "hundreds in corporate environment" get either public
> or private zone, the tool simply writes to an ACL file, my problem
Hi
I do have a very specific requirement for private/public zones and based on
a user tool the users "hundreds in corporate environment" get either public
or private zone, the tool simply writes to an ACL file, my problem is that
the only way I found that does not flush the cache of the
an Clegg
Sent: Monday, February 29, 2016 4:11 PM
To: bind-users@lists.isc.org
Subject: Re: Database driven ACL
On 2/29/16, 4:04 PM, "/dev/rob0" wrote:
>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB qu
On Mon, Feb 29, 2016 at 04:11:03PM -0500, Alan Clegg wrote:
> Would also be cool to have a meta-zone or type (overlay similar to RPZ
> perhaps?) that could be used to configure DNS options.
>
> Then your existing DNS tools could act as your management interface.
Stay tuned for 9.11, which will ha
On 2/29/16, 4:04 PM, "/dev/rob0" wrote:
>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB query
>> instead of editing the config file or reading/writing into a text
>> file ?
>
>I like this idea. I'd further suggest using
On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
> Is there a mature/tested method of loading ACLs through a DB query
> instead of editing the config file or reading/writing into a text
> file ?
I like this idea. I'd further suggest using either:
1. An abstraction layer such that an
Hi
Is there a mature/tested method of loading ACLs through a DB query instead
of editing the config file or reading/writing into a text file ?
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
5 4:19 PM
> To: bind-users@lists.isc.org
> Subject: Negation in view match-clients ACL doesn't work?
>
> Folks,
>
> This has been a real mystery and haven't been able to find a good
> explanation for the behavior. For a simple example I have two views setup
- Kevin
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN
Sent: Tuesday, August 04, 2015 4:19 PM
To: bind-users@lists.isc.org
Subject: Negation in view match-clients ACL doesn't work?
Folks,
This ha
Folks,
This has been a real mystery and haven't been able to find a good
explanation for the behavior. For a simple example I have two views setup and I
want to differentiate access based on queries originating from 127.0.0.1.
In my FIRST ATTEMPT I just negated the IP address, b
In article ,
Ali Jawad wrote:
> Hi Barry
> I would rather not do that through editing text files unless it is the last
> option. I want this dynamic and scalable . Down the road users will have
> option to change their view as such simultaneous read/write might happen
I don't think BIND has a d
cenario and I would
> appreciate
> > if you could advice me.
> >
> >
> >- I do have 6 different Geo ACLs and a default ACL
> > - Each ACL has its own zone file , users get served based on Geo
> > location. If the users are not part of any geo loca
could advice me.
>
>
>- I do have 6 different Geo ACLs and a default ACL
> - Each ACL has its own zone file , users get served based on Geo
> location. If the users are not part of any geo location they are
> served the
> default ACL and zone files.
>
default ACL
- Each ACL has its own zone file , users get served based on Geo
location. If the users are not part of any geo location they are
served the
default ACL and zone files.
- For a few hundred users I want to asign their IPs to specific Geo
locations even if they
Hi Robert,
Thanks for the reply.
I also should have mentioned that this is for an authoritative DNS setup.
I'm evaluating different DNS options to support CDN-like testbed where, due
to Internet path changes/outages, I would ideally like the ability to
rapidly change where particular clients are
24 <http://216.55.18.0/24>; };zone "domaintest.com
> <http://domaintest.com/>" in {type master;file
> "/etc/bind/view2.zone";};};*
I'd recommend using acl statements:
#v+
# here I am naming each component network
# (use names that
Hi Matt,
in my understanding, "rndc reload in " reloads the zone
file only, not the configuration where the "matched-clients { }"
statement is listed. So, you'll have to run a full config reload if you
change the "matched-clients { }" list.
I just wonder why you want to move a client's ip from o
I'm running BIND 9.9.5-3 on Ubuntu 14.04.1.
I'm trying to figure out how to change the match-clients prefixes in a view
without having to restart BIND or do full config reload. My actual BIND
config has many views and restarts can take several minutes.
Here is my simple test set up.
On 29.01.14 14:45, Pika.Aman wrote:
I would like to ask if there exists any way to dynamic update the ip
addresses in the list of the ACL clause without reload or re-start the
bind server? Hoping someone can help me! Thank you!!
No, the dynamic configuration like this is not supported
On Jan 29, 2014, at 7:45 AM, Pika.Aman wrote:
> Hi there,
>
> I would like to ask if there exists any way to dynamic update the ip
> addresses in the list of the ACL clause without reload or re-start the bind
> server? Hoping someone can help me! Thank you!!
Yo
Hi there,
I would like to ask if there exists any way to dynamic update the ip addresses
in the list of the ACL clause without reload or re-start the bind server?
Hoping someone can help me! Thank you!!
--
Pika Aman
Sent with Sparrow (http://www.sparrowmailapp.com/?sig
Augie,
On Monday, 2013-02-04 19:01:38 -0600,
"Jeremy C. Reed" wrote:
> On Mon, 4 Feb 2013, Augie Schwer wrote:
>
> > Does anyone have any experience using a large ( 1k ) entry ACL list?
> > Was there any performance degradation?
> >
> > I haven'
On Mon, 4 Feb 2013, Augie Schwer wrote:
> Does anyone have any experience using a large ( 1k ) entry ACL list?
> Was there any performance degradation?
>
> I haven't implemented my ACL yet, but it has quickly ballooned up, and I am
> hoping to get some advice from others in
Does anyone have any experience using a large ( 1k ) entry ACL list?
Was there any performance degradation?
I haven't implemented my ACL yet, but it has quickly ballooned up, and I am
hoping to get some advice from others in a similar situation.
--
Augie Schwer-au...@schw
> I'm not very familiar with the concept of views but I wonder if the
> "match-client" statement might be the way to go.
It sounds like the one you're interested in is "match-destinations"
actually.
options {
listen-on port 53 { 128.83.185.40; 128.83.185.41; ; };
...
};
ce to named.conf but only allow
certain IP addresses to issue queries against it.
I'm not very familiar with the concept of views but I wonder if the
"match-client" statement might be the way to go. Alternatively we can
setup an external ACL (or firewall statement) that only al
On 30/08/12 03:17, GS Bryan wrote:
> hmm... that explains it.
>
> Damn, DNSMadeEasy needs to have notify notices sent to a different IP
> set than their nameserver service. This means that I have to hardcode
> this myself.
>
> Another question then, if zone 'example.net' has the NS records of
> '
On 30/08/12 03:19, GS Bryan wrote:
> My BIND version, as shown by 'named -v' is BIND
> 9.9.1-P1-RedHat-9.9.1-2.P1.el6.
>
> 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever.
> --
> Bryan S.G.
>
You're correct - named-checkconf doesn't see the problem, but named
error
My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6.
'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever.
--
Bryan S.G.
On Thu, Aug 30, 2012 at 9:59 AM, Jeremy C. Reed wrote:
> On Thu, 30 Aug 2012, GS Bryan wrote:
>
>> also-notify { "
23, and 22.22.22.224 right?
--
Bryan S.G.
On Thu, Aug 30, 2012 at 9:42 AM, Doug Barton wrote:
> On 08/29/2012 03:25 PM, GS Bryan wrote:
>> Then when I put the 'alladdr' thing in my 'allow-transfer' and
>> 'also-notify' arguments,
>
> also-notify d
On 08/29/2012 04:02 PM, Mark Andrews wrote:
> A plain address in a acl is shorthand for address/32 or address/128
> depending apon the address type. While they are visually similar
> the two list are functionally very different.
Mark,
I understand the "behind the scenes"
In message
, GS Bryan writes:
> I tried to use the acl statement in my named.conf file, but I have a
> hard time making it work. In my named.conf file, I've put these acl
> statements in these formats (made up IP addresses mind you):-
>
> ------
> // Individual
On Thu, 30 Aug 2012, GS Bryan wrote:
> also-notify { "alladdr"; };
This uses an ip_addr instead of an address_match_list. Some versions of
named-checkconf will tell you "expected IP address".
> /etc/named.conf:111: masters "alladdr" not found
I can't reproduce your problem. What versio
On 08/29/2012 03:25 PM, GS Bryan wrote:
> Then when I put the 'alladdr' thing in my 'allow-transfer' and
> 'also-notify' arguments,
also-notify does not take an acl. The ARM will give you more information
on the grammar.
That said, this is a very annoying pr
I tried to use the acl statement in my named.conf file, but I have a
hard time making it work. In my named.conf file, I've put these acl
statements in these formats (made up IP addresses mind you):-
--
// Individual ACL list
acl addr1 {
11.22.33.44;
12.23.34.45;
};
Dear Anand,
Yes, both primary and slave running with different version. Will it cause any
problem if both are running with different version?
--- On Sat, 3/12/11, Anand Buddhdev wrote:
From: Anand Buddhdev
Subject: Re: undefined ACL error while running named-checkconf file
To: "
On 03/12/2011 12:44, babu dheen wrote:
Babu,
> I am maintaining the same configuration on primary server but when i
> execute the same command refering /etc/named.rfc1912.zones file, i am
> not getting any error.
Are the files identical? Are the versions of BIND on both servers the
same? Obvious
t; /etc/named.rfc1912.zones:78: undefined ACL 'redhat'
> /etc/named.rfc1912.zones:85: undefined ACL 'redhat'
> /etc/named.rfc1912.zones:92: undefined ACL 'redhat'
> /etc/named.rfc1912.zones:100: undefined ACL 'redhat'
Isn't it kind of obvious? Y
Hello,
I am running slave DNS server using BIND. Today when try to run named-checkconf
file as below , i am getting highlighted error.
Kindly assist me
[root@server]# named-checkconf /etc/named.rfc1912.zones
/etc/named.rfc1912.zones:78: undefined ACL 'redhat'
/etc/named.rfc191
hi,
On Sun, 05 Dec 2010 20:57 +, "Evan Hunt" wrote:
> I haven't tested this, but I think it will do what you want:
...
> allow-transfer {
> { !notslave1; key key1; };
> { !notslave2; key key2; };
> none;
> };
this !acl for
4.4.4.4; any; }; key key2; };
};
If you want to use named ACLs, then I think you need to define them
backwards, to reject not accept, something like this:
# pass through any host except slave1 hosts
acl notslave1 { !1.1.1.1; any; };
# pass through any host except slave2 hos
hi,
On Sun, 05 Dec 2010 19:16 +0100, "Sten Carlsen"
wrote:
> Given that you control your key distribution correctly and safely, would
> the following work?
>
> allow-transfer { key key-slave-1; key key-slave-2; };
>
>
> Only relevant slaves have the various keys, so do you need to have the
> I
:
> i've bind9 running as a primaryhost to a number of bind-andb-other
> slaves.
>
> i'm trying to set up to use different TSIG keys with different
> secondaries.
>
> in my named.conf, i've
>
> ...
> acl acl_slave_1 { 1.1.1.1; };
>
i've bind9 running as a primaryhost to a number of bind-andb-other
slaves.
i'm trying to set up to use different TSIG keys with different
secondaries.
in my named.conf, i've
...
acl acl_slave_1 { 1.1.1.1; };
acl acl_slave_2 { 2.2.2.2; 3.3.3.3; 4
Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2
Description: There was a flaw where the wrong ACL was applied. This
flaw could allow access to a cache via recursion even though the ACL
disallowed it.
CVE: pending
CERT: pending
Posting date: 2010-09-28
Program
clients that I am serving don't have direct access to the authoritative
servers.
Prabhat.
--- On Mon, 7/12/10, Nuno Paquete wrote:
From: Nuno Paquete
Subject: Re: ACL for forward zone
To: "Prabhat Rana"
Cc: bind-users@lists.isc.org
Date: Monday, July 12, 2010, 4:17 PM
Hi Nuno,
Thanks for the response. However, I don't own the authoritative servers. And
the clients that I am serving don't have direct access to the authoritative
servers.
Prabhat.
--- On Mon, 7/12/10, Nuno Paquete wrote:
> From: Nuno Paquete
> Subject: Re: ACL for f
Hi Prabhat,
I think you don't need this ACL in your forwarder server, define it on
the authoritative server (1.2.3.4 and 5.6.7.8, according to your
example).
Regards,
Nuno Paquete
No dia 2010/07/12, às 19:27, "Prabhat Rana"
escreveu:
Hello all,
I have BIND 9.7.1 insta
Hello all,
I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a
certain internal private IP zone to a certain internal DNS severs. In the
meantime I need to use certain ACL so that it would forward the queries and
reply to them only from certain IP address clients. So I
> If there's no built-in, what is the best way to come up with an equivalent?
I think this will work:
acl any6 { ::0/0; };
acl any4 { 0.0.0.0/0; };
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bi
hi all,
is there a built-in ACL that represents "any" IPv6 connection?
I have some experiment with allow-query { aclhere; };
where aclhere represents any IPv6 network, anywhere from the Internet.
If there's no built-in, what is the best way to come up with an equi
> Matus UHLAR - fantomas wrote:
> > Another question is, can I use master {} as ACL or do I have to define
> > the same IP sets in masters {} and acl {}. Can they at least have the same
> > names?
On 01.03.10 15:25, Cathy Almond wrote:
> I can see what you'r
te:
> It really depends what's more important for you to see. Whether
> you got a recursive query that didn't match a acl or a query that
> failed check-names. Both get REFUSED so the client can't tell the
> difference.
I personally don't care about broken requests
rently too often use "named" so I do this king of mistypes.
>
> > I wonder if it wouldn't be better to check ACL's first and check-names just
> > after it?
It really depends what's more important for you to see. Whether
you got a recursive query that didn&#
On 25.02.10 12:01, Matus UHLAR - fantomas wrote:
> I see that hosts that are not allowed to recurse are often generating
> check-named errors.
check-names it is.
I apparently too often use "named" so I do this king of mistypes.
> I wonder if it wouldn't be better to check ACL's first and check-n
Hello,
I see that hosts that are not allowed to recurse are often generating
check-named errors.
I wonder if it wouldn't be better to check ACL's first and check-names just
after it?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail adv
On 19.10.09 09:49, Mark Andrews wrote:
> acl's can include other acls.
> I'm having a hard time seeing why you need to include a file here.
>
> include "custom.acl"; // defines acl "customacl"
>
> acl "hdanets" {
> 92.168.1.0/24
inside the "view" statement.
> [RT #377, #728, #860]
>
> Roughly, "include" can occur instead of a keyword in any list where all
> list elements are introduced by keywords; e.g. "view", "options", "logging",
> "
re the user can maintain
custom files and leave the basic files alone.
So I have a named.acl that works, I add an include line:
acl "hdanets" {
192.168.1.0/24; // hda network
include "custom.acl";
};
and get the error:
Starting named:
Error in named configura
ld up an environment where the user can maintain
> >>> custom files and leave the basic files alone.
> >>>
> >>> So I have a named.acl that works, I add an include line:
> >>>
> >>> acl "hdanets" {
> >>> 192.168.1
1 - 100 of 126 matches
Mail list logo
