Views not matching for zone transfers, work otherwise

Fri Jun 25 01:39:42 UTC 2004

AXFR requests are non-recursive, I believe.

- Kevin

Chris Cameron wrote:

>First of all, I'd like to say I've read the FAQ.
>
>
>Put as simply as possible, I have 2 views. One resolves internal 
>addresses for a domain, one resolves external addresses for the same 
>domain.
>
>Normal DNS queries get into their proper views just fine. Internal IPs 
>get internal resolution, external IPs get external IPs. 
>
>However, when it comes to zone transfers everything tries to get into 
>the external view, and if allowed, will return the external views 
>domain, regardless of what I do.
>
>Even if I explicitly state exact IPs in the views (with match-clients); 
>exact IP listed in the right view, denied in the wrong one, I just get 
>"Transfer Failed". I've verified with tcpdump and the proper IPs are 
>the ones being used to retrieve the zones.
>
>
>Is there a known trick I'm missing here?
>
>
>
>More detailed explanation:
>
>Have a domain that has 2 views for internal resolving and external 
>resolving. To do this I have three DNS servers. One is the external 
>primary master, one is the internal slave, and the third is the 
>internal master and external slave.
>
>Works fine except for when it comes to zone transfers, where the master 
>for the internal domain won't make it into the internal view, and tries 
>to send me the external slave zone.
>
>
>
>
>Should note that all the zone transfers are done internally. The 
>external DNS is accessed via static NAT.
>
>192.168.121.10	-	Internal Master (Same server as below)
>192.168.121.11	-	External Slave
>192.168.120.10	-	External Master
>192.168.120.50	-	Internal Slave
>
>
>named.conf on 192.168.121.10/11:
>-------------------
>include "/etc/rndc.key";
>
>options {
>	directory "/var/named";
>	version "";
>	listen-on { any; };
>};
>
>acl clients {
>	192.168.121.0/24;
>	192.168.120.0/24;
>	localhost;
>};
>
>logging {
>	category lame-servers { null; };
>};
>
>view "internal-resolve" {
>	match-clients { !192.168.120.10; !192.168.121.11; clients; };
>	match-recursive-only yes;
>	notify-source 192.168.121.10;
>	transfer-source 192.168.121.10;
>	query-source address 192.168.121.10;
>//	allow-transfer {
>//		192.168.120.50;
>//	};
>
>	zone  "domain.com" {
>		type master;
>		file  "local/db.domain.com";
>	};
>};
>
>view "external-resolve" {
>	match-clients { 192.168.120.10; any; };
>	recursion no;
>	additional-from-auth no;
>	additional-from-cache no;
>	notify-source 192.168.121.11;
>	transfer-source 192.168.121.11;
>	query-source address 192.168.121.11;
>//	allow-transfer {
>//		192.168.120.10;
>//	};
>
>	zone "domain.com" {
>		type slave;
>		masters { 192.168.120.10; };
>		file  "slave/bak.domain.com";
>	};
>};
>
>
>
>named.conf on 192.168.120.50:
>-------------------
>options {
>        directory        "/namedb";
>};
>
>...
>
>view "internal-resolve" {
>	match-clients { !192.168.121.11; any; };
>	match-recursive-only yes;
>	notify-source 192.168.120.50;
>	transfer-source 192.168.120.50;
>	query-source address 192.168.120.50;
>
>	zone "domain.com" in {
>		type slave;
>		file "bak.domain.com";
>		masters { 192.168.121.10; };
>	};
>};
>
>
>
>On 192.168.120.50:
>
></opt/named/namedb> $ dig @192.168.121.10 domain.com axfr
>
>; <<>> DiG 9.2.2 <<>> @192.168.121.10 domain.com axfr
>;; global options:  printcmd
>
>... Lists external zone ...
>
>;; Query time: 37 msec
>;; SERVER: 192.168.121.10#53(192.168.121.10)
>;; WHEN: Wed Jun 23 19:29:32 2004
>;; XFR size: 21 records
>
></opt/named/namedb> $
></opt/named/namedb> $ host www.domain.com 192.168.121.10
>Using domain server:
>Name: 192.168.121.10
>Address: 192.168.121.10#53
>Aliases:
>
>www.domain.com has address 192.168.120.10
></opt/named/namedb> $ 
>
>
>Using 192.168.121.11 for the queries above all brings back the same 
>results.
>
>
>So, I can only assume that the views are working because normal queries 
>from the same servers bring back the appropriate record. Why is it zone 
>transfers all try to come from the external slave?
>
>
>
>Any help or ideas would be appreciated. I'd also gladly give more detail 
>if there's something I've missed here.
>
>Running BIND 9.2.1 on 192.168.121.10/11 and BIND 9.2.2 on the other two.
>
>
>Chris
>
>
>  
>