Views, Tsigs and updates on 9.3.2
Angela Williams
angie at eoh.co.za
Thu Mar 23 16:03:22 UTC 2006
Hi!
I have run a pair of bind 9.0.x servers - master and slave for all of our
various company domains plus a bunch of customer domains. Just works like a
wiz! Only problem is the two ip address update method! I want to move to
9.3.2!
I have setup two systems with Gentoo - my own desktop and another server which
is intended to become a new slave server once we closer to moving isp's
To this end I emerged bind and bind-tools on both boxes after checking that
that bind-9.3.2 was no longer masked in the portage tree.
I followed the steps in the 9.3 section of the FAQ - How can i make a server a
slave for both and internal and external view at the same time ........
I have basically copied the two named.conf snippets into my original
named.conf files from the two live servers after deleteing almost every
domain to make it easier to check updates.
Here is the problem!
I trashed the temporary zone files on the slave for both internal and external
views and started both servers named daemons. I then looked at the files
named wrote out for both views on the slave and they are both internal views!
Most unfair to have 'net users trying to connect to my internal ip's!
Ok here are the two named.conf files.
First the master server. IP Address 10.1.30.52
key "rndc-key" {
algorithm hmac-md5;
secret "UB3TJRIJp4wm6Bar4zkj==";
};
key "ext-key" {
algorithm hmac-md5;
secret "dDR06cI6T2ZoG/p+woiD==";
};
controls {
inet * port 953
allow { 127.0.0.1;
10.1.30.50;
}
keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named.pid";
notify yes;
allow-transfer {
10.1.30.50;
};
};
//Our views
view "internal" {
// Only internal see us and can query us
match-clients { !key ext-key;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
127.0.0.1;
};
// and we will lookup outside of our ns
recursion yes;
// All the master servers!
zone "." {
type hint;
file "db.cache";
};
zone "eoh.co.za" {
type master;
file "master-zones/int/eoh.co.za.hosts1";
notify yes;
};
// The internal view ends here!
};
// Our external view!
view "external" {
match-clients { key ext-key; any; };
server 10.1.30.50 { keys ext-key; };
recursion no;
zone "eoh.co.za" {
type master;
file "master-zones/ext/eoh.co.za.hosts1";
notify yes;
};
// this is the end!
};
And here is my slave's - my PC on 10.1.30.50's named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "UB3TJRIJp4wm6Bar4zkj==";
};
key "ext-key" {
algorithm hmac-md5;
secret "dDR06cI6T2ZoG/p+woiD==";
};
controls {
inet * port 953
allow { 127.0.0.1;
10.1.30.52;
10.1.30.50;}
keys { "rndc-key"; };
};
options {
directory "/var/bind";
listen-on-v6 { none; };
pid-file "/var/run/named/named.pid";
};
//Our views
view "internal" {
// Only internal see us and can query us
match-clients { !key ext-key;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
127.0.0.1;
};
recursion yes;
// All the master servers!
zone "." {
type hint;
file "db.cache";
};
zone "eoh.co.za" {
type slave;
file "slave-zones/int/eoh.co.za.hosts";
masters {
10.1.30.52;
};
};
// The internal view ends here!
};
// Our external view!
view "external" {
match-clients { key ext-key; any; };
server 10.1.0.52 { keys ext-key; };
recursion no;
zone "eoh.co.za" {
type slave;
file "slave-zones/ext/eoh.co.za.hosts";
masters {
10.1.30.52;
};
};
// The end of external view
};
Here are my two zone files!
First the external one for eoh.co.za
$ttl 3600
eoh.co.za. IN SOA eohns0.eoh.co.za. awilliams.eoh.co.za. (
2006030904
10815
3600
604800
3840 )
eoh.co.za. IN NS eohns0.eoh.co.za.
eoh.co.za. IN NS eohns1.eoh.co.za.
eohns0.eoh.co.za. IN A 10.1.30.52
eohns1.eoh.co.za. IN A 10.1.30.50
Now the internal one
$ttl 3600
eoh.co.za. IN SOA eohns0.eoh.co.za. awilliams.eoh.co.za. (
2006032301
10815
3600
604800
3840 )
eoh.co.za. IN NS eohns0.eoh.co.za.
eoh.co.za. IN NS eohns1.eoh.co.za.
eohns0.eoh.co.za. IN A 10.1.30.52
eohns1.eoh.co.za. IN A 10.1.30.50
mngc.eoh.co.za. IN A 10.1.30.199
I used ethereal to look at the packets back and forth once I had stopped
named on my PC - the slave 1.1.30.50, removed the temp zone files and
restarted named. I cannot see any Tsig signed data going back and forth!
I had originally had the keys called external as per FAQ and changed them to
see if it solved the problem! Nope!
I have run both sides with debug 5 but cannot see anything that makes sense!
The mailing list does not seem to show much either!
I then changed the serial number on the external view on master 10.1.30.52 and
did an rndc reload eoh.co.za. in external, ethereal shows the signed update
packet and a signed response but thats it!
Is the time in sync on both servers? Well as good as ntp can keep them! Both
run ntp servers synced to the same external time sources!
Ok the ball is now in the list's court!
Cheers
Ang
--
Angela Williams Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here! Bedfordview
awilliams at eoh.co.za Gauteng South Africa
Smile!! Jesus Loves You!!
More information about the bind-users
mailing list