From owner-freebsd-questions@FreeBSD.ORG Thu Jul 1 14:05:39 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7ED0A106566C for ; Thu, 1 Jul 2010 14:05:39 +0000 (UTC) (envelope-from christopher.maness@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 339BE8FC13 for ; Thu, 1 Jul 2010 14:05:38 +0000 (UTC) Received: by iwn9 with SMTP id 9so2486287iwn.13 for ; Thu, 01 Jul 2010 07:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=i7IK5Z9NbU3/jlEAY1VGqRCQ/zt7j4+jfAFygfS0wzE=; b=ARKr58IY/WDGwvLmTbJ2LzQ/JDwPDqa/4FYkY5IMSCZ0KfecM428HhSKwoIoKsF437 SMD47e4rKzjbqh64hN2LuWEd2j8B82mS+LSsBRVP3SIX5Zq/eruvmlqx+aBN0VW0QpU0 wX293/qbuj7Udn+lVSkGfXrvnPY7Wbour1KWw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=LzvZqwnJ/r1+6HeCefOkbpPTzWIUbT1ykpbwWQFJe/TSTlMjD53Regs+lZrDDMENQF OC8/Sh0u+pHFH/nQTQBa2aXj4k37ca39ey5HRMuFaQB1dKw+fYlSDnVhHpm5cQ+pp2Xn gmvaSCVzI3B8tPv15M2pUCu6rpvGHlj4kG8v0= MIME-Version: 1.0 Received: by 10.231.148.79 with SMTP id o15mr3458648ibv.67.1277993137709; Thu, 01 Jul 2010 07:05:37 -0700 (PDT) Sender: christopher.maness@gmail.com Received: by 10.231.158.195 with HTTP; Thu, 1 Jul 2010 07:05:37 -0700 (PDT) In-Reply-To: References: Date: Thu, 1 Jul 2010 07:05:37 -0700 X-Google-Sender-Auth: eaCdZ6tn3g8oVisSfENdahztA2I Message-ID: From: Chris Maness To: krad Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2010 14:05:39 -0000 Can a sub block of IP address space be used, and if so, what is the wild ca= rd? Chris On Wed, Jun 30, 2010 at 7:34 AM, Chris Maness wrote= : > On Wed, Jun 30, 2010 at 1:49 AM, krad wrote: >> >> >> On 29 June 2010 07:20, Chris Maness wrote: >>> >>> My named server used to resolve for external hosts. =A0Recently I have >>> noticed that it no longer resolves names for resolvers not on the >>> local host. =A0It works just fine for dig on the dns server itself. =A0= It >>> also works for domains that it has authority over. =A0I also have it se= t >>> up to be a caching server on my network. =A0Has the spec for the config >>> file changed or something? >>> >>> Here is the beginning of the the config file: >>> >>> cat named.conf >>> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25 >>> 02:59:29 kensmith Exp $ >>> // >>> // Refer to the named.conf(5) and named(8) man pages, and the >>> documentation >>> // in /usr/share/doc/bind9 for more details. >>> // >>> // If you are going to set up an authoritative server, make sure you >>> // understand the hairy details of how DNS works. =A0Even with >>> // simple mistakes, you can break connectivity for affected parties, >>> // or cause huge amounts of useless Internet traffic. >>> >>> options { >>> =A0 =A0 =A0 =A0// Relative to the chroot directory, if any >>> =A0 =A0 =A0 =A0directory =A0 =A0 =A0 "/etc/namedb"; >>> =A0 =A0 =A0 =A0pid-file =A0 =A0 =A0 =A0"/var/run/named/pid"; >>> =A0 =A0 =A0 =A0dump-file =A0 =A0 =A0 "/var/dump/named_dump.db"; >>> =A0 =A0 =A0 =A0statistics-file "/var/stats/named.stats"; >>> =A0 =A0 =A0 =A0allow-transfer { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}; >>> >>> // If named is being used only as a local resolver, this is a safe >>> default. >>> // For named to be accessible to the network, comment this option, spec= ify >>> // the proper IP address, or delete this option. >>> // =A0 =A0 =A0listen-on =A0 =A0 =A0 { 127.0.0.1; }; >>> >>> // If you have IPv6 enabled on this system, uncomment this option for >>> // use as a local resolver. =A0To give access to the network, specify >>> // an IPv6 address, or the keyword "any". >>> // =A0 =A0 =A0listen-on-v6 =A0 =A0{ ::1; }; >>> >>> // These zones are already covered by the empty zones listed below. >>> // If you remove the related empty zones below, comment these lines out= . >>> =A0 =A0 =A0 =A0disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; >>> =A0 =A0 =A0 =A0disable-empty-zone >>> >>> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR= PA"; >>> =A0 =A0 =A0 =A0disable-empty-zone >>> >>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR= PA"; >>> >>> // In addition to the "forwarders" clause, you can force your name >>> // server to never initiate queries of its own, but always ask its >>> // forwarders only, by enabling the following line: >>> // >>> // =A0 =A0 =A0forward only; >>> >>> // If you've got a DNS server around at your upstream provider, enter >>> // its IP address here, and enable the line below. =A0This will make yo= u >>> // benefit from its cache, thus reduce overall DNS traffic in the >>> Internet. >>> /* >>> =A0 =A0 =A0 =A0forwarders { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0127.0.0.1; >>> =A0 =A0 =A0 =A0}; >>> */ >>> =A0 =A0 =A0 =A0/* >>> =A0 =A0 =A0 =A0 =A0 Modern versions of BIND use a random UDP port for e= ach outgoing >>> =A0 =A0 =A0 =A0 =A0 query by default in order to dramatically reduce th= e possibility >>> =A0 =A0 =A0 =A0 =A0 of cache poisoning. =A0All users are strongly encou= raged to >>> utilize >>> =A0 =A0 =A0 =A0 =A0 this feature, and to configure their firewalls to a= ccommodate >>> it. >>> >>> =A0 =A0 =A0 =A0 =A0 AS A LAST RESORT in order to get around a restricti= ve firewall >>> =A0 =A0 =A0 =A0 =A0 policy you can try enabling the option below. =A0Us= e of this >>> option >>> =A0 =A0 =A0 =A0 =A0 will significantly reduce your ability to withstand= cache >>> poisoning >>> =A0 =A0 =A0 =A0 =A0 attacks, and should be avoided if at all possible. >>> >>> =A0 =A0 =A0 =A0 =A0 Replace NNNNN in the example with a number between = 49160 and >>> 65530. >>> =A0 =A0 =A0 =A0*/ >>> =A0 =A0 =A0 =A0// query-source address * port NNNNN; >>> }; >>> >>> // If you enable a local name server, don't forget to enter 127.0.0.1 >>> // first in your /etc/resolv.conf so this server will be queried. >>> // Also, make sure to enable it in /etc/rc.conf. >>> >>> // The traditional root hints mechanism. Use this, OR the slave zones >>> below. >>> zone "." { type hint; file "named.root"; }; >>> >>> /* =A0 =A0 =A0Slaving the following zones from the root name servers ha= s some >>> =A0 =A0 =A0 =A0significant advantages: >>> =A0 =A0 =A0 =A01. Faster local resolution for your users >>> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to= the roots >>> =A0 =A0 =A0 =A03. Greater resilience to any potential root server failu= re/DDoS >>> >>> =A0 =A0 =A0 =A0On the other hand, this method requires more monitoring = than the >>> =A0 =A0 =A0 =A0hints file to be sure that an unexpected failure mode ha= s not >>> =A0 =A0 =A0 =A0incapacitated your server. =A0Name servers that are serv= ing a lot >>> =A0 =A0 =A0 =A0of clients will benefit more from this approach than ind= ividual >>> =A0 =A0 =A0 =A0hosts. =A0Use with caution. >>> >>> =A0 =A0 =A0 =A0To use this mechanism, uncomment the entries below, and = comment >>> =A0 =A0 =A0 =A0the hint zone above. >>> */ >>> /* >>> zone "." { >>> =A0 =A0 =A0 =A0type slave; >>> =A0 =A0 =A0 =A0file "slave/root.slave"; >>> =A0 =A0 =A0 =A0masters { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NE= T. >>> =A0 =A0 =A0 =A0}; >>> =A0 =A0 =A0 =A0notify no; >>> }; >>> >>> zone "0.0.127.IN-ADDR.ARPA" { >>> =A0 =A0 =A0 =A0type master; >>> =A0 =A0 =A0 =A0file "master/localhost.rev"; >>> }; >>> zone "in-addr.arpa" { >>> =A0 =A0 =A0 =A0type slave; >>> =A0 =A0 =A0 =A0file "slave/in-addr.arpa.slave"; >>> =A0 =A0 =A0 =A0masters { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NE= T. >>> =A0 =A0 =A0 =A0}; >>> =A0 =A0 =A0 =A0notify no; >>> }; >>> */ >>> >>> /* =A0 =A0 =A0Serving the following zones locally will prevent any quer= ies >>> =A0 =A0 =A0 =A0for these zones leaving your network and going to the ro= ot >>> =A0 =A0 =A0 =A0name servers. =A0This has two significant advantages: >>> =A0 =A0 =A0 =A01. Faster local resolution for your users >>> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to= the roots >>> */ >>> // RFC 1912 >>> zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.d= b"; >>> }; >>> zone "255.in-addr.arpa" { type master; file "master/empty.db"; }; >>> >>> // RFC 1912-style zone for IPv6 localhost address >>> zone "0.ip6.arpa" =A0 =A0 =A0 { type master; file "master/localhost-rev= erse.db"; >>> }; >>> >>> // "This" Network (RFCs 1912 and 3330) >>> zone "0.in-addr.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> >>> // Private Use Networks (RFC 1918) >>> zone "10.in-addr.arpa" =A0 =A0 =A0 =A0 =A0{ type master; file "master/e= mpty.db"; }; >>> zone "16.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "17.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "18.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "19.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "20.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "21.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "22.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "23.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "24.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "25.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "26.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "27.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "28.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "29.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "30.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "31.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "168.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d= b"; }; >>> >>> // Link-local/APIPA (RFCs 3330 and 3927) >>> zone "254.169.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d= b"; }; >>> >>> // TEST-NET for Documentation (RFC 3330) >>> zone "2.0.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.d= b"; }; >>> >>> // Router Benchmark Testing (RFC 3330) >>> zone "18.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> zone "19.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty= .db"; }; >>> >>> // IANA Reserved - Old Class E Space >>> zone "240.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "241.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "242.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "243.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "244.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "245.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "246.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "247.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "248.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "249.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "250.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "251.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "252.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "253.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> zone "254.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/emp= ty.db"; }; >>> >>> // IPv6 Unassigned Addresses (RFC 4291) >>> zone "1.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "3.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "4.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "5.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "6.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "7.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "8.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "9.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "a.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "b.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "c.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "d.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "e.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "mast= er/empty.db"; }; >>> zone "0.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "1.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "2.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "3.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "4.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "5.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "6.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "7.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "8.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "9.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "a.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "b.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "0.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "1.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "2.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "3.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "4.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "5.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "6.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "7.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> >>> // IPv6 ULA (RFC 4193) >>> zone "c.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> zone "d.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master= /empty.db"; }; >>> >>> // IPv6 Link Local (RFC 4291) >>> zone "8.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "9.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "a.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "b.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> >>> // IPv6 Deprecated Site-Local Addresses (RFC 3879) >>> zone "c.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "d.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "e.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> zone "f.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/e= mpty.db"; }; >>> >>> // IP6.INT is Deprecated (RFC 4159) >>> zone "ip6.int" =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0{ type master; file "= master/empty.db"; }; >>> >>> // NB: Do not use the IP addresses below, they are faked, and only >>> // serve demonstration/documentation purposes! >>> // >>> // Example slave zone config entries. =A0It can be convenient to become >>> // a slave at least for the zone your own domain is in. =A0Ask >>> // your network administrator for the IP address of the responsible >>> // master name server. >>> // >>> // Do not forget to include the reverse lookup zone! >>> // This is named after the first bytes of the IP address, in reverse >>> // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. >>> // >>> // Before starting to set up a master zone, make sure you fully >>> // understand how DNS and BIND work. =A0There are sometimes >>> // non-obvious pitfalls. =A0Setting up a slave zone is usually simpler. >>> // >>> // NB: Don't blindly enable the examples below. :-) =A0Use actual names >>> // and addresses instead. >>> >>> /* An example dynamic zone >>> key "exampleorgkey" { >>> =A0 =A0 =A0 =A0algorithm hmac-md5; >>> =A0 =A0 =A0 =A0secret "sf87HJqjkqh8ac87a02lla=3D=3D"; >>> }; >>> zone "example.org" { >>> =A0 =A0 =A0 =A0type master; >>> =A0 =A0 =A0 =A0allow-update { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0key "exampleorgkey"; >>> =A0 =A0 =A0 =A0}; >>> =A0 =A0 =A0 =A0file "dynamic/example.org"; >>> }; >>> */ >>> >>> /* Example of a slave reverse zone >>> zone "1.168.192.in-addr.arpa" { >>> =A0 =A0 =A0 =A0type slave; >>> =A0 =A0 =A0 =A0file "slave/1.168.192.in-addr.arpa"; >>> =A0 =A0 =A0 =A0masters { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.168.1.1; >>> =A0 =A0 =A0 =A0}; >>> }; >>> */ >>> >>> zone "97.179.208.in-addr.arpa" IN { >>> =A0 =A0 =A0 =A0type master; >>> =A0 =A0 =A0 =A0file "master/reverse.zone"; >>> =A0 =A0 =A0 =A0allow-transfer { 76.238.148.146; 4.35.33.247; }; >>> }; >>> >>> >>> zone "localhost" IN { >>> =A0 =A0 =A0 =A0type master; >>> =A0 =A0 =A0 =A0file "localhost.zone"; >>> =A0 =A0 =A0 =A0allow-update { none; }; >>> }; >>> >>> zone "chrismaness.com" { >>> =A0 =A0 =A0 =A0type master; >>> =A0 =A0 =A0 =A0file "master/chrismaness.com"; >>> =A0 =A0 =A0 =A0// IP addresses of slave servers allowed to transfer >>> chrismaness.com >>> =A0 =A0 =A0 =A0allow-transfer { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}; >>> >>> }; >>> >>> ########### >>> >>> Does anything look strange here? =A0I also tried uncommenting the liste= n >>> on directive with the correct IP, and my server stopped resolving >>> names for hosts that it is authoritative for. >>> >>> Any help would be appreciated. >>> >>> Thanks, >>> Chris Maness >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >> >> >> you may want to explictily set up a recursion acl on it. Look at these >> options below. The defaults may have changed when you did an upgrade >> >> =A0=A0=A0=A0=A0=A0=A0 allow-query { auth_hosts; }; >> =A0=A0=A0=A0=A0=A0=A0 allow-recursion { auth_hosts; }; >> =A0=A0=A0=A0=A0=A0=A0 allow-query-cache { auth_hosts; }; >> >> > > What is a recursion acl? =A0Can I just add these lines to my config file > to set it up? =A0Is the auth_hosts flag referring to a file with > authorized clients? > > I did figure that something got nailed during mergemaster. > > Thanks, > Chris Maness >