problem with bind9, view and nsupdate

Michael Dosser mic at strg.at
Tue Aug 2 11:42:37 UTC 2005 

Hello all,

most probably I have a misconfiguration somewhere in my setup, but I 
cannot figure out where. I have a setup with the following two nameservers:

---------------------------------------------------------------------
ns1:
OS: FreeBSD-4.11-RELEASE-p11
bind9: 9.3.1

ns2:
OS: Debian GNU/Linux 3.1
bind9: 9.2.4-1

Both are started with the following command:
/path/to/named -u bind

Both hosts have a host based firewall. Port 53 udp/tcp is open in both 
directions.

---------------------------------------------------------------------

There is an application on ns2 which updates via nsupdate zonefiles on
ns1. For debugging reasons I left the application aside, and tested as
the user connecting via nsupdate. nsupdate itself is not the problem as
I figured out (and so is the application launching nsupdate). But read, 
after showing you my configs I'll describe the problem.

---------------------------------------------------------------------

Setup on ns1 (named.conf):

acl "nameservers" {
         localhost;
         <ip of ns1>;
	<ip of ns2>;
};
acl "internal" {
	<ips of servers>;
};
acl "customers" {
	<ips of customers>;
};
options {
         directory "/etc/namedb";
         pid-file "/var/run/named/pid";
         query-source address * port 53;
         dump-file "named_dump.db";
         allow-transfer { nameservers; };
         transfer-format many-answers;
         version "DNS server";
         // conform to RFC1035
         auth-nxdomain yes;
         datasize 256m;
         max-ncache-ttl 60;
         recursive-clients 5000;
         listen-on {
                 <ip of nameserver>;
                 127.0.0.1;
         };
};
key "rndc-key" {
         algorithm hmac-md5;
         secret "<secret key>";
};
controls {
         inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndc-key"; };
};

key updatekey. {
         algorithm hmac-md5;
         secret "<secret key>";
};

view "internal" {
         match-clients { "internal"; };
         recursion yes;
         include "named.local";
         include "named.internal";
         include "named.master";
         include "/path/to/nsupdate/managed/named.primary.conf";
         include "/path/to/nsupdate/managed/named.secondary.conf";
};

view "customers" {
         match-clients { "customers"; };
         recursion yes;
         include "named.local";
         include "named.internal";
         include "named.master";
         include "/path/to/nsupdate/managed/named.primary.conf";
         include "/path/to/nsupdate/managed/named.secondary.conf";
};

view "external" {
         match-clients { "any"; };
         recursion no;
         include "named.local";
         include "named.internal";
         include "named.master";
         include "/path/to/nsupdate/managed/named.primary.conf";
         include "/path/to/nsupdate/managed/named.secondary.conf";
};
---------------------------------------------------------------------
The files named.local, named.internal and named.master are includes not 
managed by nsupdate. The other two (named.primary.conf and 
named.secondary.conf) are managed by nsupdate.
the named.conf on ns2 looks exactly the same. Example entry for
named.primary.conf on ns1 (which is managed by nsupdate):

zone "blasdf.at" IN {
	type master;
	file "/path/to/nsupdate/managed/zones/hosts_blasdf.at";
	allow-update { key updatekey; };
};

and the zone itself:

$ORIGIN .
$TTL 86400      ; 1 day
blasdf.at                IN SOA  ns1.domain.at. dns.domain.at. (
                                 2004081817 ; serial
                                 28800      ; refresh (8 hours)
                                 7200       ; retry (2 hours)
                                 604800     ; expire (1 week)
                                 86400      ; minimum (1 day)
                                 )
                         NS      ns1.domain.at.
                         NS      ns2.domain.at.
                         A       195.69.180.10
                         MX      10 mail.domain.at.
$ORIGIN blasdf.at.



---------------------------------------------------------------------
Problem description:

If I update blasdf.at and add a new A record (or any other record) with
nsupdate, the serial gets automagically - as expected - bumped higher by
1, so with the above example I get 2004081818. ns2 as a slave gets also
the new serial and the new A record.

If I launch dig on one of the nameservers all looks good:

$ dig soa blasdf.at @localhost|grep -A 2 "ANSWER SECTION"
;; ANSWER SECTION:
blasdf.at.               86400   IN      SOA     ns1.domain.at.
dns.domain.at. 2004081818 28800 7200 604800 86400

But if I dig from a host defined in view external I get the old serial:

$ dig soa blasdf.at @ns1.domain.at|grep -A 2 "ANSWER SECTION"
;; ANSWER SECTION:
blasdf.at.               86400   IN      SOA     ns1.domain.at.
dns.domain.at. 2004081817 28800 7200 604800 86400

If I dig from a host defined in view internal, I get the right serial,
but not if I dig from a host in view customers.

And this is true for both nameservers (ns1 and ns2). After one day on
ns2 I get the right serial, on ns1 still the old serial.

What is happening here? Where might be the misconfiguration?

Thank you for your help,
Michael Dosser

-- 
The computer revolution is over. The computers won.

More information about the bind-users mailing list