Shared dynamic zone on external view?
Mark Andrews
marka at isc.org
Wed Nov 7 22:23:05 UTC 2012
In message <509A8796.7060005 at nryc.fr>, "Nicolas C." writes:
> Hello,
>
> I have a dynamic zone on an external view, this zone is updated with a
> TSIG key from outside of our network. There is a secondary DNS server,
> also outside our network on which zones transfers are working fine with
> no key.
>
> We would like to make one of our internal DNS secondary for this zone
> and we have the "dynamic zone shared between views" problem. I tried to
> follow the FAQ but no luck so far.
>
> I'm not sure that what I'm trying to do is possible, can someone confirm
> this?
>
> Should I follow the FAQ and make my dynamic zone "master" on the
> "internal" view? That makes less sense to us because this are public
> zones, updated from the outsite.
>
> This is my configuration :
>
> view "internal" {
> match-clients {
>
> !key external;
> key shared;
>
> <IPv4/IPv6 ranges including IPv4-of-my-DNS>
> };
>
> zone "<my_zone>" {
> type slave;
> file "db.shared-int";
> masters { IPv4-of-my-DNS; };
You need to force the internal zone to talk to the external zone.
masters { IPv4-of-my-DNS key external; };
> transfer-source IPv4-of-my-DNS;
> };
> };
>
> view "external" {
>
> match-clients { !key shared; any };
> allow-transfer { IPv4-of-my-DNS; };
> server IPv4-of-my-DNS; { keys { shared; }; };
>
> zone "<my_zone>" {
> type master;
> file "db.shared-ext";
> notify yes;
> also-notify { IPv4-of-my-DNS; };
>
> update-policy {
> grant another-key subdomain <my_zone> ANY;
> grant principal at REA.LM subdomain <my_zone> ANY;
> };
> };
>
> When I reload the configuration or try to initiate a zone transfer with
> dig and the "shared" key, I have this message in the logs.
>
> zone <my_zone>/IN/internal: refresh: unexpected rcode (SERVFAIL) from
> master IPv4-of-my-DNS#53 (source IPv4-of-my-DNS#0)
>
> Regards,
>
> Nicolas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list