Shared dynamic zone on external view?
/dev/rob0
rob0 at gmx.co.uk
Thu Nov 8 12:20:41 UTC 2012
On Thu, Nov 08, 2012 at 09:23:05AM +1100, Mark Andrews wrote:
> In message <509A8796.7060005 at nryc.fr>, "Nicolas C." writes:
> > I have a dynamic zone on an external view, this zone is updated
> > with a TSIG key from outside of our network. There is a secondary
> > DNS server, also outside our network on which zones transfers are
> > working fine with no key.
> >
> > We would like to make one of our internal DNS secondary for this
> > zone and we have the "dynamic zone shared between views" problem.
> > I tried to follow the FAQ but no luck so far.
> >
> > I'm not sure that what I'm trying to do is possible, can someone
> > confirm this?
> >
> > Should I follow the FAQ and make my dynamic zone "master" on the
> > "internal" view? That makes less sense to us because this are
> > public zones, updated from the outsite.
> >
> > This is my configuration :
> >
> > view "internal" {
> > match-clients {
> >
> > !key external;
> > key shared;
> >
> > <IPv4/IPv6 ranges including IPv4-of-my-DNS>
> > };
> >
> > zone "<my_zone>" {
> > type slave;
> > file "db.shared-int";
> > masters { IPv4-of-my-DNS; };
>
> You need to force the internal zone to talk to the external zone.
>
> masters { IPv4-of-my-DNS key external; };
Should not the master also have an "also-notify" to notify the
internal zone as well? Or the zone might contain a bogus internal-
only NS host, but that would seem less appropriate. If the notify
received is only for the external view, the internal view will only
update on elapsed SOA expire time.
> > transfer-source IPv4-of-my-DNS;
> > };
> > };
> >
> > view "external" {
> >
> > match-clients { !key shared; any };
> > allow-transfer { IPv4-of-my-DNS; };
> > server IPv4-of-my-DNS; { keys { shared; }; };
> >
> > zone "<my_zone>" {
> > type master;
> > file "db.shared-ext";
> > notify yes;
> > also-notify { IPv4-of-my-DNS; };
> >
> > update-policy {
> > grant another-key subdomain <my_zone> ANY;
> > grant principal at REA.LM subdomain <my_zone> ANY;
> > };
> > };
> >
> > When I reload the configuration or try to initiate a zone
> > transfer with dig and the "shared" key, I have this message
> > in the logs.
> >
> > zone <my_zone>/IN/internal: refresh: unexpected rcode (SERVFAIL)
> > from master IPv4-of-my-DNS#53 (source IPv4-of-my-DNS#0)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list