inline-signing a zone that exists in two views
Gordon Messmer
gordon.messmer at gmail.com
Tue May 9 23:42:24 UTC 2017
On 05/09/2017 03:15 AM, Tony Finch wrote:
> The classic solution is to make one view a slave of the other. Configure
> the slave zone with `masters { localhost key my-tsig; };` and configure
> the master view with `match-clients { key my-tsig; };`.
OK, I think I've got this nailed down. I had to move the "public" view
so that it was listed first in named.conf. That view previously had no
match-client setting, but now is set to "match-clients { key tsig-key;
!localhost; 0.0.0.0/0; };" so that it allows access with the key but
does not match localhost otherwise (which would result in refusing
recursion) but does include the rest of the IPv4 space. The zone in the
"local" view is now a slave with "masters { 127.0.0.1 key tsig-key; };"
Seems to work. Localhost can look up records in the zone as well as
external records. External hosts can get records from the zone, but
can't make recursive requests.
I'm happy that it's working, but it seems like it was fairly difficult
to get right. Am I doing an unusual thing? Is it considered
best-practice (or just normal) for authoritative servers to just not use
the local server for resolution?
Thanks for your help!
More information about the bind-users
mailing list