Hi,
> On Fri, May 06, 2022 at 08:39:19PM +0100, Andy Bennett wrote:
>> Is it possible (and if so, advisable) to use hostnames in the ACLs?
>
> I don't think that would work, no. I think it expects an
> address_match_list which is only IP addresses, basically:
>
> https://www.zytrax.com/books/dns/ch7/address_match_list.html
Thanks!
>> Otherwise, what's the best way to keep this information up-to-date?
>
> Well, as 'a' is the only one that has been doing AXFRs
Ah right.
...but the zones I host know that b. and c. are secondaries as well so I
think my server sends them NOTIFYs at the appropriate times. Therefore, it
seems consistent to allow them to receive it if they want to.
I'd prefer to not have a custom notify list for domains as that's another
thing to get inconsistent over time; I prefer it to come straight out of
the canonical zone file if possible.
I guess a. also NOTIFYs b. and c. and then they do their transfer from
there? I haven't updated any zones in a while so a quick check of my logs
doesn't give me anything to analyze right now. If it's of interest I can
force a change and see what happens.
> and therefore
> likely to be in ACLs, we have made an effort not to renumber it.I
> don't think it has been renumbered since 2012 when we moved
> everything to our own UP space. So I don't know what you would have
> had for it - something starting with 212.13?
Until this evening my ACL was:
-----
85.119.80.222; 2001:ba8:1f1:f019::53; // a.authns.bitfolk.com
209.237.247.198; 2001:4978:f:f2::2; // b.authns.bitfolk.com
//209.20.91.73; 2001:4978:f:392::2; // c.authns.bitfolk.com - Expires
19th March 2012
173.255.227.192; 2600:3c03::31:2053; // c.authns.bitfolk.com
-----
(Note the expired c. one is commented out but I left it in there for
posterity!)
Now the ACL is:
-----
85.119.80.222; 2001:ba8:1f1:f085::53; // a.authns.bitfolk.com
45.33.107.124; 2600:3c01:e000:259::53; // b.authns.bitfolk.com
172.104.29.216; 2600:3c03:e000:432::53; // c.authns.bitfolk.com
-----
wrt. a. the v6 address used to have :f019: and now has :f085:. Perhaps that
was a mistake on my part? I never tested it because I (still!) don't have
any v6 interfaces configured on my VPS.
> It would just be a case of us announcing the renumbering on the
> announce@ mailing list, with as much notice as we could, I suppose.
>
> Maybe we should add some serial number monitoring, so if your zone
> serial number changes but ours doesn't (because AXFR failed) then
> that difference would be an alert.
That sounds useful but I am happy to be told that monitoring the
up-to-date-ness of secondary servers for my domains is my responsibility!
:-)
Best wishes,
@ndy
--
andyjpb@???
http://www.ashurst.eu.org/
0x7EBA75FF
