Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Jul 2010 07:05:37 -0700
From:      Chris Maness <chris@chrismaness.com>
To:        krad <kraduk@googlemail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: BIND Refusing to Resolve for External Hosts
Message-ID:  <AANLkTikp3KxZ3hwo5o5Zv2jS7Q9unVvXmXSVB0HBgkdZ@mail.gmail.com>
In-Reply-To: <AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk@mail.gmail.com>
References:  <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com> <AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com> <AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Can a sub block of IP address space be used, and if so, what is the wild ca=
rd?

Chris

On Wed, Jun 30, 2010 at 7:34 AM, Chris Maness <chris@chrismaness.com> wrote=
:
> On Wed, Jun 30, 2010 at 1:49 AM, krad <kraduk@googlemail.com> wrote:
>>
>>
>> On 29 June 2010 07:20, Chris Maness <chris@chrismaness.com> wrote:
>>>
>>> My named server used to resolve for external hosts. =A0Recently I have
>>> noticed that it no longer resolves names for resolvers not on the
>>> local host. =A0It works just fine for dig on the dns server itself. =A0=
It
>>> also works for domains that it has authority over. =A0I also have it se=
t
>>> up to be a caching server on my network. =A0Has the spec for the config
>>> file changed or something?
>>>
>>> Here is the beginning of the the config file:
>>>
>>> cat named.conf
>>> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
>>> 02:59:29 kensmith Exp $
>>> //
>>> // Refer to the named.conf(5) and named(8) man pages, and the
>>> documentation
>>> // in /usr/share/doc/bind9 for more details.
>>> //
>>> // If you are going to set up an authoritative server, make sure you
>>> // understand the hairy details of how DNS works. =A0Even with
>>> // simple mistakes, you can break connectivity for affected parties,
>>> // or cause huge amounts of useless Internet traffic.
>>>
>>> options {
>>> =A0 =A0 =A0 =A0// Relative to the chroot directory, if any
>>> =A0 =A0 =A0 =A0directory =A0 =A0 =A0 "/etc/namedb";
>>> =A0 =A0 =A0 =A0pid-file =A0 =A0 =A0 =A0"/var/run/named/pid";
>>> =A0 =A0 =A0 =A0dump-file =A0 =A0 =A0 "/var/dump/named_dump.db";
>>> =A0 =A0 =A0 =A0statistics-file "/var/stats/named.stats";
>>> =A0 =A0 =A0 =A0allow-transfer {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146;
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0};
>>>
>>> // If named is being used only as a local resolver, this is a safe
>>> default.
>>> // For named to be accessible to the network, comment this option, spec=
ify
>>> // the proper IP address, or delete this option.
>>> // =A0 =A0 =A0listen-on =A0 =A0 =A0 { 127.0.0.1; };
>>>
>>> // If you have IPv6 enabled on this system, uncomment this option for
>>> // use as a local resolver. =A0To give access to the network, specify
>>> // an IPv6 address, or the keyword "any".
>>> // =A0 =A0 =A0listen-on-v6 =A0 =A0{ ::1; };
>>>
>>> // These zones are already covered by the empty zones listed below.
>>> // If you remove the related empty zones below, comment these lines out=
.
>>> =A0 =A0 =A0 =A0disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
>>> =A0 =A0 =A0 =A0disable-empty-zone
>>>
>>> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR=
PA";
>>> =A0 =A0 =A0 =A0disable-empty-zone
>>>
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR=
PA";
>>>
>>> // In addition to the "forwarders" clause, you can force your name
>>> // server to never initiate queries of its own, but always ask its
>>> // forwarders only, by enabling the following line:
>>> //
>>> // =A0 =A0 =A0forward only;
>>>
>>> // If you've got a DNS server around at your upstream provider, enter
>>> // its IP address here, and enable the line below. =A0This will make yo=
u
>>> // benefit from its cache, thus reduce overall DNS traffic in the
>>> Internet.
>>> /*
>>> =A0 =A0 =A0 =A0forwarders {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0127.0.0.1;
>>> =A0 =A0 =A0 =A0};
>>> */
>>> =A0 =A0 =A0 =A0/*
>>> =A0 =A0 =A0 =A0 =A0 Modern versions of BIND use a random UDP port for e=
ach outgoing
>>> =A0 =A0 =A0 =A0 =A0 query by default in order to dramatically reduce th=
e possibility
>>> =A0 =A0 =A0 =A0 =A0 of cache poisoning. =A0All users are strongly encou=
raged to
>>> utilize
>>> =A0 =A0 =A0 =A0 =A0 this feature, and to configure their firewalls to a=
ccommodate
>>> it.
>>>
>>> =A0 =A0 =A0 =A0 =A0 AS A LAST RESORT in order to get around a restricti=
ve firewall
>>> =A0 =A0 =A0 =A0 =A0 policy you can try enabling the option below. =A0Us=
e of this
>>> option
>>> =A0 =A0 =A0 =A0 =A0 will significantly reduce your ability to withstand=
 cache
>>> poisoning
>>> =A0 =A0 =A0 =A0 =A0 attacks, and should be avoided if at all possible.
>>>
>>> =A0 =A0 =A0 =A0 =A0 Replace NNNNN in the example with a number between =
49160 and
>>> 65530.
>>> =A0 =A0 =A0 =A0*/
>>> =A0 =A0 =A0 =A0// query-source address * port NNNNN;
>>> };
>>>
>>> // If you enable a local name server, don't forget to enter 127.0.0.1
>>> // first in your /etc/resolv.conf so this server will be queried.
>>> // Also, make sure to enable it in /etc/rc.conf.
>>>
>>> // The traditional root hints mechanism. Use this, OR the slave zones
>>> below.
>>> zone "." { type hint; file "named.root"; };
>>>
>>> /* =A0 =A0 =A0Slaving the following zones from the root name servers ha=
s some
>>> =A0 =A0 =A0 =A0significant advantages:
>>> =A0 =A0 =A0 =A01. Faster local resolution for your users
>>> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to=
 the roots
>>> =A0 =A0 =A0 =A03. Greater resilience to any potential root server failu=
re/DDoS
>>>
>>> =A0 =A0 =A0 =A0On the other hand, this method requires more monitoring =
than the
>>> =A0 =A0 =A0 =A0hints file to be sure that an unexpected failure mode ha=
s not
>>> =A0 =A0 =A0 =A0incapacitated your server. =A0Name servers that are serv=
ing a lot
>>> =A0 =A0 =A0 =A0of clients will benefit more from this approach than ind=
ividual
>>> =A0 =A0 =A0 =A0hosts. =A0Use with caution.
>>>
>>> =A0 =A0 =A0 =A0To use this mechanism, uncomment the entries below, and =
comment
>>> =A0 =A0 =A0 =A0the hint zone above.
>>> */
>>> /*
>>> zone "." {
>>> =A0 =A0 =A0 =A0type slave;
>>> =A0 =A0 =A0 =A0file "slave/root.slave";
>>> =A0 =A0 =A0 =A0masters {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NE=
T.
>>> =A0 =A0 =A0 =A0};
>>> =A0 =A0 =A0 =A0notify no;
>>> };
>>>
>>> zone "0.0.127.IN-ADDR.ARPA" {
>>> =A0 =A0 =A0 =A0type master;
>>> =A0 =A0 =A0 =A0file "master/localhost.rev";
>>> };
>>> zone "in-addr.arpa" {
>>> =A0 =A0 =A0 =A0type slave;
>>> =A0 =A0 =A0 =A0file "slave/in-addr.arpa.slave";
>>> =A0 =A0 =A0 =A0masters {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NE=
T.
>>> =A0 =A0 =A0 =A0};
>>> =A0 =A0 =A0 =A0notify no;
>>> };
>>> */
>>>
>>> /* =A0 =A0 =A0Serving the following zones locally will prevent any quer=
ies
>>> =A0 =A0 =A0 =A0for these zones leaving your network and going to the ro=
ot
>>> =A0 =A0 =A0 =A0name servers. =A0This has two significant advantages:
>>> =A0 =A0 =A0 =A01. Faster local resolution for your users
>>> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to=
 the roots
>>> */
>>> // RFC 1912
>>> zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.d=
b";
>>> };
>>> zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
>>>
>>> // RFC 1912-style zone for IPv6 localhost address
>>> zone "0.ip6.arpa" =A0 =A0 =A0 { type master; file "master/localhost-rev=
erse.db";
>>> };
>>>
>>> // "This" Network (RFCs 1912 and 3330)
>>> zone "0.in-addr.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>>
>>> // Private Use Networks (RFC 1918)
>>> zone "10.in-addr.arpa" =A0 =A0 =A0 =A0 =A0{ type master; file "master/e=
mpty.db"; };
>>> zone "16.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "17.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "18.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "19.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "20.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "21.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "22.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "23.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "24.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "25.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "26.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "27.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "28.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "29.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "30.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "31.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "168.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d=
b"; };
>>>
>>> // Link-local/APIPA (RFCs 3330 and 3927)
>>> zone "254.169.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d=
b"; };
>>>
>>> // TEST-NET for Documentation (RFC 3330)
>>> zone "2.0.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d=
b"; };
>>>
>>> // Router Benchmark Testing (RFC 3330)
>>> zone "18.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>> zone "19.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty=
.db"; };
>>>
>>> // IANA Reserved - Old Class E Space
>>> zone "240.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "241.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "242.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "243.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "244.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "245.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "246.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "247.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "248.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "249.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "250.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "251.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "252.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "253.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>> zone "254.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp=
ty.db"; };
>>>
>>> // IPv6 Unassigned Addresses (RFC 4291)
>>> zone "1.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "3.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "4.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "5.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "6.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "7.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "8.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "9.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "a.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "b.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "c.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "d.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "e.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast=
er/empty.db"; };
>>> zone "0.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "1.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "2.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "3.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "4.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "5.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "6.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "7.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "8.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "9.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "a.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "b.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "0.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "1.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "2.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "3.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "4.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "5.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "6.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "7.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>>
>>> // IPv6 ULA (RFC 4193)
>>> zone "c.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>> zone "d.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master=
/empty.db"; };
>>>
>>> // IPv6 Link Local (RFC 4291)
>>> zone "8.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "9.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "a.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "b.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>>
>>> // IPv6 Deprecated Site-Local Addresses (RFC 3879)
>>> zone "c.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "d.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "e.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>> zone "f.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e=
mpty.db"; };
>>>
>>> // IP6.INT is Deprecated (RFC 4159)
>>> zone "ip6.int" =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0{ type master; file "=
master/empty.db"; };
>>>
>>> // NB: Do not use the IP addresses below, they are faked, and only
>>> // serve demonstration/documentation purposes!
>>> //
>>> // Example slave zone config entries. =A0It can be convenient to become
>>> // a slave at least for the zone your own domain is in. =A0Ask
>>> // your network administrator for the IP address of the responsible
>>> // master name server.
>>> //
>>> // Do not forget to include the reverse lookup zone!
>>> // This is named after the first bytes of the IP address, in reverse
>>> // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
>>> //
>>> // Before starting to set up a master zone, make sure you fully
>>> // understand how DNS and BIND work. =A0There are sometimes
>>> // non-obvious pitfalls. =A0Setting up a slave zone is usually simpler.
>>> //
>>> // NB: Don't blindly enable the examples below. :-) =A0Use actual names
>>> // and addresses instead.
>>>
>>> /* An example dynamic zone
>>> key "exampleorgkey" {
>>> =A0 =A0 =A0 =A0algorithm hmac-md5;
>>> =A0 =A0 =A0 =A0secret "sf87HJqjkqh8ac87a02lla=3D=3D";
>>> };
>>> zone "example.org" {
>>> =A0 =A0 =A0 =A0type master;
>>> =A0 =A0 =A0 =A0allow-update {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0key "exampleorgkey";
>>> =A0 =A0 =A0 =A0};
>>> =A0 =A0 =A0 =A0file "dynamic/example.org";
>>> };
>>> */
>>>
>>> /* Example of a slave reverse zone
>>> zone "1.168.192.in-addr.arpa" {
>>> =A0 =A0 =A0 =A0type slave;
>>> =A0 =A0 =A0 =A0file "slave/1.168.192.in-addr.arpa";
>>> =A0 =A0 =A0 =A0masters {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.168.1.1;
>>> =A0 =A0 =A0 =A0};
>>> };
>>> */
>>>
>>> zone "97.179.208.in-addr.arpa" IN {
>>> =A0 =A0 =A0 =A0type master;
>>> =A0 =A0 =A0 =A0file "master/reverse.zone";
>>> =A0 =A0 =A0 =A0allow-transfer { 76.238.148.146; 4.35.33.247; };
>>> };
>>>
>>>
>>> zone "localhost" IN {
>>> =A0 =A0 =A0 =A0type master;
>>> =A0 =A0 =A0 =A0file "localhost.zone";
>>> =A0 =A0 =A0 =A0allow-update { none; };
>>> };
>>>
>>> zone "chrismaness.com" {
>>> =A0 =A0 =A0 =A0type master;
>>> =A0 =A0 =A0 =A0file "master/chrismaness.com";
>>> =A0 =A0 =A0 =A0// IP addresses of slave servers allowed to transfer
>>> chrismaness.com
>>> =A0 =A0 =A0 =A0allow-transfer {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146;
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0};
>>>
>>> };
>>>
>>> ###########
>>>
>>> Does anything look strange here? =A0I also tried uncommenting the liste=
n
>>> on directive with the correct IP, and my server stopped resolving
>>> names for hosts that it is authoritative for.
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks,
>>> Chris Maness
>>> _______________________________________________
>>> freebsd-questions@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to
>>> "freebsd-questions-unsubscribe@freebsd.org"
>>
>>
>> you may want to explictily set up a recursion acl on it. Look at these
>> options below. The defaults may have changed when you did an upgrade
>>
>> =A0=A0=A0=A0=A0=A0=A0 allow-query { auth_hosts; };
>> =A0=A0=A0=A0=A0=A0=A0 allow-recursion { auth_hosts; };
>> =A0=A0=A0=A0=A0=A0=A0 allow-query-cache { auth_hosts; };
>>
>>
>
> What is a recursion acl? =A0Can I just add these lines to my config file
> to set it up? =A0Is the auth_hosts flag referring to a file with
> authorized clients?
>
> I did figure that something got nailed during mergemaster.
>
> Thanks,
> Chris Maness
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikp3KxZ3hwo5o5Zv2jS7Q9unVvXmXSVB0HBgkdZ>