Slave transfer problem with same zone but different db files in views.

Lyle Giese lyle at lcrcomputer.net
Sat Jun 17 01:58:36 UTC 2006 

David Miller wrote:
> Hello,
> 
> I used Rob Thomas's secure BIND template to setup my primary DNS  
> server(9.3.2) and it is working perfectly. I have one question about  
> Rob's template and a question about a problem with my slave server.
> 
> First the problem. I have two copies of the same zone file. One is  
> for internal view and one is for external view. The difference is the  
> amount of records defined in each file. The fourth edition O'rielly  
> BIND and DNS book has a perfect example of this on page 272. They  
> actually have two different db files for the same 254.253.192.in- 
> addr.arpa zone. How do you get the slave server to know which zone  
> file goes to the correct view? Of coarse my slave server transfers  
> the first db file and gives resolve access to hosts I don't want the  
> external to have.
> 
> About Rob's template. Why allow access to the db.cache file for the  
> external-in view? Isn't that pointless since we don't allow recursion  
> anyway? All we want is for external sources to be able to resolve the  
> IP's/names defined in the zone files we put in that view. Here is the  
> section I'm talking about.
> 
> // Create a view for external DNS clients.
> view "external-in" in {
>      // Our external (untrusted) view. We permit any client to access
>      // portions of this view. We do not perform recursion or cache
>      // access for hosts using this view.
> 
>      match-clients { any; };
>      recursion no;
>      additional-from-auth no;
>      additional-from-cache no;
> 
>        // Link in our zones
>        zone "." in {
>            type hint;
>            file "db.cache";
>        };
> 
> 
> 
> Here is a link to Rob's secure BIND Template.
> 
> http://www.cymru.com/Documents/secure-bind-template.html
> 
> 

The Slave will get the view that matches it's query ip address.  So if 
it asks the master from an external ip, it will get the external view. 
If the slave asks via an internal ip, it will get the internal view.

Because in my instance the one view only contains three zone files, I 
move them by hand between the slaves.

Don't know about previous versions of ISC's Bind, but v9 does contain 
internally a list of root servers. So if you are running ISC's Bind, the 
hint file is redundant.

Lyle

More information about the bind-users mailing list