Basic setup question for a master / slave setup with views...
Barry Margolin
barmar at alum.mit.edu
Tue Feb 5 03:53:42 UTC 2008
In article <fo8kfc$163p$1 at sf1.isc.org>,
Jim Bucks <jbucks at coloradostudios.com> wrote:
> Sorry, I really have been trying to resolve this on my own. I greatly
> reduced the number of zones this afternoon in a failed attempt to try
> and get this working. I also got rid of the acl entries (using hard
> coded IP addresses for now).
It looks to me like your master's IP is 67.134.161.162 and the slave is
67.134.161.163. The master's internal view matches on localnets, so
anything with a 67.134.161.x address will match this (I'm assuming
you're using a /24 network mask, but these two adjacent IPs will be in
the same subnet no matter what mask you use).
So you either have to change the source IP that the slave uses when
pulling zone transfers, or change your match-clients ACL to filter out
this IP.
>
> I'm still getting the same results as I reported earlier.
>
> Thanks,
>
> Jim
>
>
> Here is the named.conf from the master server (less the "key" strings)
>
> //
> // Sample named.conf BIND DNS server 'named' configuration file
> // for the Red Hat BIND distribution.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details, in:
> // file:///usr/share/doc/bind-*/arm/Bv9ARM.html
> // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
> // its manual.
> //
> // 2007 Dec 14 Jim Bucks - initial setup
> // This is the MASTER / PRIMARY DNS
> configuration file.
> //
> // Change Log
> //
> //
> acl dns_slaves {
> 67.134.161.163;
> };
>
> acl stapleton_hosts {
> 192.9.200.0/24;
> 127.0.0.1;
> 172.20.24.0/21;
> 67.134.161.0/24;
> };
>
> options
> {
> /* make named use port 53 for the source of all queries, to allow
> * firewalls to block all ports except 53:
> */
> query-source port 53;
> //query-source-v6 port 53;
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> allow-query { stapleton_hosts; };
> // allow-query
> {192.9.200.0/24;172.20.24.0/21;67.134.161.163/24;}; // need to add the
> other local nets
> dump-file "data/cache_dump.db";
> zone-statistics yes;
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> also-notify { 67.134.161.163; };
>
> };
>
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * named will try to write the 'named.run' file in the $directory
> (/var/named).
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> // Filter out any LAME server messages from cluttering up the
> SYSLOGs
> };
>
> //
> // All BIND 9 zones are in a "view", which allow different zones to be
> served
> // to different types of client addresses, and for options to be set for
> groups
> // of zones.
> //
> // By default, if named.conf contains no "view" clauses, all zones are
> in the
> // "default" view, which matches all clients.
> //
> // If named.conf contains any "view" clause, then all zones MUST be in a
> view;
> // so it is recommended to start off using views to avoid having to
> restructure
> // your configuration files in the future.
> //
> view localhost_resolver {
> /* This view sets up named to be a localhost resolver ( caching
> only nameserver ).
> * If all you want is a caching-only nameserver, then you need
> only define this view:
> */
> match-clients { localhost; };
> match-destinations { localhost; };
> recursion yes;
> # all views must contain the root hints zone:
> //include "/etc/named.root.hints";
>
> /* these are zones that contain definitions for all the localhost
> * names and addresses, as recommended in RFC1912 - these names
> should
> * ONLY be served to localhost clients:
> */
> // include "internal/named.rfc1912.zones";
> };
>
> view internal {
> /* This view will contain zones you want to serve only to
> "internal" clients
> * that connect via your directly attached LAN interfaces -
> "localnets" .
> */
> match-clients { localnets; };
> match-destinations { localnets; };
> recursion yes;
>
> zone "." {
> type hint;
> file "internal/root.hints";
> };
> // all views must contain the root hints zone:
> //include "internal/root.hints";
>
> //include "internal/named.rfc1912.zones";
> // you should not serve your rfc1912 names to non-localhost
> clients.
>
> // These are your "authoritative" internal zones, and would
> probably
> // also be included in the "localhost_resolver" view above :
>
>
> zone "den.coloradostudios.com" {
> type master;
> allow-transfer { 67.134.161.163; };
> file "internal/db.den.coloradostudios.com";
> };
> zone "200.9.192.in-addr.arpa" {
> type master;
> allow-transfer { 67.134.161.163; };
> file "internal/db.192.9.200";
> };
> // //zone "my.internal.zone" {
> // type master;
> // file "my.internal.zone.db";
> // };
> // zone "my.slave.internal.zone" {
> // type slave;
> // file "slaves/my.slave.internal.zone.db";
> // masters { /* put master nameserver IPs here */
> 127.0.0.1; };
> // // put slave zones in the slaves/ directory so
> named can update them
> // };
> // zone "my.ddns.internal.zone" {
> // type master;
> // allow-update { key ddns_key; };
> // file "slaves/my.ddns.internal.zone.db";
> // // put dynamically updateable zones in the
> slaves/ directory so named can update them
> // };
> };
>
> key rndc_key
> {
> algorithm hmac-md5;
> secret "snipped";
> };
>
> key ddns_key
> {
> algorithm hmac-md5;
> secret "snipped";
> //secret "use /usr/sbin/dns-keygen to generate TSIG keys";
> };
>
> view external
> {
> /* This view will contain zones you want to serve only to
> "external" clients
> * that have addresses that are not on your directly attached
> LAN interface subnets:
> */
> allow-transfer { 67.134.161.163; }; # allow "hosts in acl
> "dns_slaves" to transfer zones
>
> // match-clients { !localnets; !localhost; };
> // match-clients { localnets; !localhost; };
> match-clients { "any"; };
> // match-destinations { localnets; !localhost; };
> // match-destinations { !localnets; !localhost; };
>
> recursion no;
> // you'd probably want to deny recursion to external clients,
> so you don't
> // end up providing free DNS service to all takers
>
> // all views must contain the root hints zone:
> //include "/etc/named.root.hints";
>
> // These are your "authoritative" external zones, and would
> probably
> // contain entries for just your web and mail servers:
> zone "hd.net" {
> type master;
> allow-transfer { 67.134.161.163; };
> file "external/db.hd.net";
> };
> zone "1080p.com" {
> type master;
> allow-transfer { 67.134.161.163; };
> file "external/db.1080p.com";
> };
> // Deleted all the other external zones files from here until
> // after can get the 1080p.com files to replicate to slave.
> zone "161.134.67.in-addr.arpa" {
> type master;
> allow-transfer { 67.134.161.163; };
> file "external/db.67.134.161";
> };
>
> // zone "my.external.zone" {
> // type master;
> // file "my.external.zone.db";
> // };
> };
> //include "/etc/bind/logging";
>
>
>
> And, here's the named.conf (also with the key's snipped) from the slave
> server.
>
>
> //
> // Sample named.conf BIND DNS server 'named' configuration file
> // for the Red Hat BIND distribution.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details, in:
> // file:///usr/share/doc/bind-*/arm/Bv9ARM.html
> // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
> // its manual.
> //
> // 2007 Dec 14 Jim Bucks - initial setup
> // This is the SECONDARY / SLAVE DNS
> configuration file.
> //
>
>
> acl dns_masters {
> 67.134.161.162;
> };
>
> // This is a list of `Stapleton' networks.
> acl stapleton_hosts {
> 192.9.200.0/24;
> 127.0.0.1;
> 172.20.24.0/21;
> 67.134.161.0/24;
> };
>
>
> options
> {
> /* make named use port 53 for the source of all queries, to allow
> * firewalls to block all ports except 53:
> */
> query-source port 53;
> //query-source-v6 port 53;
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> //allow-query {192.9.200.0/24;172.20.24.0/21;}; // need to add
> the other local nets
> //allow-query {192.9.200.0/24;172.20.24.0/21;67.134.161.0/24;};
> // need to add the other local nets
> allow-query { "stapleton_hosts"; }; // need to add the other
> local nets
> dump-file "data/cache_dump.db";
> zone-statistics yes;
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
>
> };
>
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * named will try to write the 'named.run' file in the $directory
> (/var/named).
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> // Filter out any LAME server messages from cluttering up the
> SYSLOGs
> };
>
> //
> // All BIND 9 zones are in a "view", which allow different zones to be
> served
> // to different types of client addresses, and for options to be set for
> groups
> // of zones.
> //
> // By default, if named.conf contains no "view" clauses, all zones are
> in the
> // "default" view, which matches all clients.
> //
> // If named.conf contains any "view" clause, then all zones MUST be in a
> view;
> // so it is recommended to start off using views to avoid having to
> restructure
> // your configuration files in the future.
> //
> view localhost_resolver {
> /* This view sets up named to be a localhost resolver ( caching
> only nameserver ).
> * If all you want is a caching-only nameserver, then you need
> only define this view:
> */
> match-clients { localhost; };
> match-destinations { localhost; };
> recursion yes;
> # all views must contain the root hints zone:
> //include "/etc/named.root.hints";
>
> /* these are zones that contain definitions for all the localhost
> * names and addresses, as recommended in RFC1912 - these names
> should
> * ONLY be served to localhost clients:
> */
> //include "/etc/named.rfc1912.zones";
> };
>
> view internal {
> /* This view will contain zones you want to serve only to
> "internal" clients
> * that connect via your directly attached LAN interfaces -
> "localnets" .
> */
> match-clients { localnets; };
> match-destinations { localnets; };
> recursion yes;
> zone "." {
> type hint;
> file "slaves/internal/root.hints";
> };
> // all views must contain the root hints zone:
> //include "/etc/named.root.hints";
>
> //include "/etc/named.rfc1912.zones";
> // you should not serve your rfc1912 names to non-localhost
> clients.
>
> // These are your "authoritative" internal zones, and would
> probably
> // also be included in the "localhost_resolver" view above :
>
>
> zone "den.coloradostudios.com" {
> type slave;
> masters { 67.134.161.162; };
> file "slaves/internal/db.den.coloradostudios.com";
> };
> zone "200.9.192.in-addr.arpa" {
> type slave;
> masters { 67.134.161.162; };
> file "slaves/internal/db.192.9.200";
> };
> // //zone "my.internal.zone" {
> // type master;
> // file "my.internal.zone.db";
> // };
> // zone "my.slave.internal.zone" {
> // type slave;
> // file "slaves/my.slave.internal.zone.db";
> // masters { /* put master nameserver IPs here */
> 127.0.0.1; };
> // // put slave zones in the slaves/ directory so
> named can update them
> // };
> // zone "my.ddns.internal.zone" {
> // type master;
> // allow-update { key ddns_key; };
> // file "slaves/my.ddns.internal.zone.db";
> // // put dynamically updateable zones in the
> slaves/ directory so named can update them
> // };
> };
>
> key rndc_key
> {
> algorithm hmac-md5;
> secret "snip";
> };
>
> key ddns_key
> {
> algorithm hmac-md5;
> secret "snip";
> //secret "use /usr/sbin/dns-keygen to generate TSIG keys";
> };
>
> view external {
> /* This view will contain zones you want to serve only to
> "external" clients
> * that have addresses that are not on your directly attached
> LAN interface subnets:
> */
> match-clients { dns_masters; };
> match-destinations { dns_masters; };
> // match-clients { !localnets; !localhost; };
> // match-destinations { !localnets; !localhost; };
>
> recursion no;
> // you'd probably want to deny recursion to external clients,
> so you don't
> // end up providing free DNS service to all takers
>
> // all views must contain the root hints zone:
> //include "/etc/named.root.hints";
>
> // These are your "authoritative" external zones, and would
> probably
> // contain entries for just your web and mail servers:
> zone "hd.net" {
> type slave;
> masters { 67.134.161.162; };
> file "slaves/external/db.hd.net";
> };
> zone "1080p.com" {
> type slave;
> masters { 67.134.161.162; };
> file "slaves/external/db.1080p.com";
> };
> // Deleted all the other external zones files from here until
> // after can get the 1080p.com files to replicate to slave.
> zone "161.134.67.in-addr.arpa" {
> type slave;
> masters { 67.134.161.162; };
> file "slaves/external/db.67.134.161";
> };
>
> // zone "my.external.zone" {
> // type master;
> // file "my.external.zone.db";
> // };
> };
> //include "/etc/bind/logging";
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list