Views causing zone transfer problems?
Chris Buxton
cbuxton at menandmice.com
Thu Sep 20 19:07:40 UTC 2007
The problem is, the notify packets are hitting the external view. Use
a match-destination (check the spelling on that) statement in the
slave's views, and make sure the master is notifying the correct
slave interface.
Chris Buxton
Men & Mice
On Sep 20, 2007, at 10:38 AM, Scott Lacy wrote:
> So far, it seems to boil down to what view the slave has of the master
> (68.143.210.80). If the slave sees the master as external, then
> external view zone transfers work. If the slave sees it as internal,
> then internal zone transfers work.
>
> I have transfer-source statements set up for each zone appropriately
> (external interface for external view, internal interface for internal
> view), yet the serial number it pulls is always dependent on what acl
> the master server's ip address falls under on the slave (internal or
> external).
>
> Any suggestions short of moving the master for one of the zones to
> another IP?
>
> Thanks!
>
> On 9/20/07, Scott Lacy <eslacy at gmail.com> wrote:
>> Hi all,
>>
>> I'm having an odd problem with zone transfers relating to views in
>> Bind 9:
>>
>> I have a master with one interface, and a slave with two physical
>> interfaces (10.30.80.5 and 68.143.211.2), one for each view (internal
>> and external). The problem I am having is that when I do a reload
>> for
>> one of my zones (regardless of whether it is internal or external),
>> the slave is consistently querying serial numbers for the external
>> view. I think it's seeing the master as external, thus it is always
>> querying the external zone's serial rather than the internal. If
>> I do
>> it the other way, though, it would always query the internal zone's
>> serial. Am I going to need to set up a second IP on the master to
>> get
>> this working properly? Conf files and logs follow. I really
>> appreciate any help/advice I can get.
>>
>> Master named.conf:
>>
>> options {
>> directory "/var/named";
>> query-source address * port 53;
>> allow-transfer { 10.30.80.5; 68.143.211.2; };
>>
>> };
>>
>> acl "internalnets" { !68.143.211.2; 10.0.0.0/8; 68.143.211.0/16; };
>>
>> view "internal" {
>>
>> match-clients {
>> internalnets;
>> };
>>
>> (miscellaneous zone info here, pretty vanilla)
>>
>>
>> view "external" {
>>
>> match-clients { any; };
>> recursion no;
>>
>> (miscellaneous zone info here, pretty vanilla)
>> }
>>
>>
>>
>> Slave named.conf:
>>
>> options {
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> notify no;
>> /*
>> * If there is a firewall between you and nameservers you
>> want
>> * to talk to, you might need to uncomment the query-source
>> * directive below. Previous versions of BIND always asked
>> * questions using port 53, but BIND 8.1 uses an unprivileged
>> * port by default.
>> */
>> // query-source address * port 53;
>> };
>>
>> //68.143.210.80 is the master nameserver
>> acl "internalnets" { !68.143.210.80; 10.0.0.0/8; 68.143.211.0/16; };
>>
>> view "internal" {
>> match-clients {
>> internalnets;
>> };
>>
>> a sample internal zone:
>>
>> zone "fubar.com" IN {
>> type slave;
>> masters { 68.143.210.80; };
>> transfer-source 10.30.80.5;
>> file "/var/named/internal/fubar.com";
>> };
>>
>>
>>
>>
>> view "external" {
>>
>> match-clients { any; };
>> recursion no;
>>
>> a sample external zone:
>>
>> zone "fubar.com" IN {
>> type slave;
>> masters { 68.143.210.80; };
>> transfer-source 68.143.211.2;
>> file "/var/named/external/fubar.com";
>> };
>>
>>
>>
>> If I increment the serial on the external zone on the master and
>> reload via "rndc reload fubar.com IN external" on the master, the
>> slave logs:
>>
>> Sep 20 09:18:28 slave-dns named[4951]: client 68.143.210.80#32963:
>> view external: received notify for zone 'fubar.com'
>> Sep 20 09:18:28 slave-dns named[4951]: zone fubar.com/IN/external:
>> Transfer started.
>> Sep 20 09:18:28 slave-dns named[4951]: transfer of 'fubar.com/IN'
>> from
>> 68.143.210.80#53: connected using 68.143.211.2#37095
>> Sep 20 09:18:28 slave-dns named[4951]: zone fubar.com/IN/external:
>> transferred serial 2007060415
>> Sep 20 09:18:28 slave-dns named[4951]: transfer of 'fubar.com/IN'
>> from
>> 68.143.210.80#53: end of transfer
>>
>>
>> If I increment the serial on the internal zone on the master and
>> reload via "rndc reload fubar.com IN internal" on the master, the
>> slave logs:
>>
>> Sep 20 09:19:45 slave-dns named[4951]: client 68.143.210.80#32963:
>> view external: received notify for zone 'fubar.com'
>> Sep 20 09:19:45 slave-dns named[4951]: zone fubar.com/IN/external:
>> notify from 68.143.210.80#32963: zone is up to date
>>
>
>
More information about the bind-users
mailing list