Zone Transfer issue on BIND9
snoop at email.it
snoop at email.it
Fri Aug 24 11:09:31 UTC 2012
Hi there,
I have an issue related to zone transfer which I couldn't fix. I've found a
"presumable" fix googling a lot but it doesn't seem to work.
The main issue is that all my zones get transferred to the slave properly
but all the files related to the same view are identical.
I've found some similar issues and they were all pointing to the same ISC
FAQ link (https://www.isc.org/faq/item/182) which doesn't fix the issue at
all.
I've three main views and I've tried to apply the fix in the aforementioned
link. I've also tried to remove the "dmz" view from my configuration to
reflect a scenario as closer as possible to the one in the FAQ .... with no
success.
I've spent about 4 days trying to figure out why. And at the moment I've
just replaced everything with a 2 master configuration which implies a
manual update. I can theoretically live with that as I don't need to push
updates too often, but I can't live well without understanding what the heck
am I missing.
Any hint about any evident/hidden mistake would be really appreciated.
Below an extract from my configurations.
***MASTER server (FreeBSD 9.0-RELEASE-p3 (i386)|| BIND 9.8.3-P2)***
acl "internal" {
10.0.0.0/26;
10.0.1.0/28;
172.16.0.0/27;
172.16.1.0/28;
172.17.1.0/29;
127.0.0.1;
};
acl "dmz" { 172.17.2.0/27; };
acl "datacentre" {
171.XX.YY.24;
171.XX.YY.25;
171.XX.YY.26;
171.XX.YY.27;
171.XX.YY.28;
171.XX.YY.29;
171.XX.YY.30;
171.XX.YY.31;
172.16.3.0/27;
};
key TSIG-KEY {
algorithm hmac-sha512;
secret "HASH OMITTED";
};
server 171.XX.YY.27 {
keys { TSIG-KEY ;};
};
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "";
allow-recursion { internal; dmz; datacentre; };
allow-update { none; };
allow-transfer { none; };
listen-on { 10.0.0.15; 127.0.0.1; };
// listen-on-v6 { ::1; };
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};
view "internal" {
match-clients { !key TSIG-KEY; internal; datacentre; };
allow-query { internal; datacentre; };
zone "." {
type hint;
file "/etc/namedb/named.root";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/namedb/master/localhost-reverse.db";
allow-transfer { localhost; };
};
zone "DOMAIN01.eu" {
type master;
file "/etc/namedb/master/DOMAIN01.eu.int.zone";
allow-transfer { 171.XX.YY.27; };
notify yes;
};
zone "DOMAIN02.net" {
type master;
file "/etc/namedb/master/DOMAIN02.net.int.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "DOMAIN03.net" {
type master;
file "/etc/namedb/master/DOMAIN03.net.int.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "0.0.10.in-addr.arpa" IN {
type master;
file "/etc/namedb/master/0.0.10.in-addr.arpa.int.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "/etc/namedb/master/1.16.172.in-addr.arpa.ext.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "3.16.172.in-addr.arpa" IN {
type master;
file "/etc/namedb/master/3.16.172.in-addr.arpa.int.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "1.17.172.in-addr.arpa" {
type master;
file
"/etc/namedb/master/1.17.172.in-addr.arpa.ssl-vpn.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "2.17.172.in-addr.arpa" {
type master;
file "/etc/namedb/master/2.17.172.in-addr.arpa.dmz.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "YY.XX.171.in-addr.arpa" {
type master;
file
"/etc/namedb/master/YY.XX.171.in-addr.arpa.masterdc.zone";
allow-transfer { 171.XX.YY.27; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
view "dmz" {
match-clients { !key TSIG-KEY; internal; datacentre; };
allow-query { dmz; };
zone "DOMAIN01.eu" {
type master;
file "/etc/namedb/master/DOMAIN01.eu.dmz.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "2.17.172.in-addr.arpa" {
type master;
file "/etc/namedb/master/2.17.172.in-addr.arpa.dmz.zone";
allow-transfer { 171.XX.YY.27; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
view "external" {
match-clients { key TSIG-KEY; any; };
allow-query { any; };
zone "DOMAIN01.eu" {
type master;
file "/etc/namedb/master/DOMAIN01.eu.ext.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "DOMAIN02.net" {
type master;
file "/etc/namedb/master/DOMAIN02.net.ext.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "DOMAIN03.net" {
type master;
file "/etc/namedb/master/DOMAIN03.net.ext.zone";
allow-transfer { 171.XX.YY.27; };
};
zone "YY.XX.171.in-addr.arpa" {
type master;
file "/etc/namedb/master/YY.XX.171.in-addr.arpa.ext.zone";
allow-transfer { 171.XX.YY.27; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
logging {
...
OMITTED
...
};
***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
acl "internal" {
10.0.0.0/26;
10.0.1.0/28;
172.16.0.0/29;
172.16.1.0/28;
127.0.0.1;
};
acl "dmz" { 172.17.2.0/27; };
acl "datacentre" {
171.XX.YY.24;
171.XX.YY.25;
171.XX.YY.26;
171.XX.YY.27;
171.XX.YY.28;
171.XX.YY.29;
171.XX.YY.30;
171.XX.YY.31;
};
key TSIG-KEY. {
algorithm hmac-sha512;
secret "HASH-OMITTED";
};
server 10.0.0.15 {
keys { TSIG-KEY. ;};
};
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "";
allow-notify { 171.XX.YY.27; 10.0.0.15; };
recursion no;
allow-update { key TSIG-KEY.; };
listen-on { 171.XX.YY.27; 127.0.0.1; };
// listen-on-v6 { ::1; };
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};
view "internal" {
match-clients { !key TSIG-KEY; internal; datacentre; };
recursion yes;
allow-query { internal; datacentre; };
zone "." {
type hint;
file "/etc/namedb/named.root";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/namedb/master/localhost-reverse.db";
allow-transfer { localhost; };
allow-update { none; };
};
zone "DOMAIN01.eu" {
type slave;
file "/etc/namedb/slave/DOMAIN01.eu.int.zone";
masters { 10.0.0.15; };
};
zone "DOMAIN02.net" {
type slave;
file "/etc/namedb/slave/DOMAIN02.net.int.zone";
masters { 10.0.0.15; };
};
zone "DOMAIN03.net" {
type slave;
file "/etc/namedb/slave/DOMAIN03.net.int.zone";
masters { 10.0.0.15; };
};
zone "0.0.10.in-addr.arpa" IN {
type slave;
file "/etc/namedb/slave/0.0.10.in-addr.arpa.int.zone";
masters { 10.0.0.15; };
};
zone "1.16.172.in-addr.arpa" IN {
type slave;
file "/etc/namedb/slave/1.16.172.in-addr.arpa.ext.zone";
masters { 10.0.0.15; };
};
zone "3.16.172.in-addr.arpa" IN {
type slave;
file "/etc/namedb/slave/3.16.172.in-addr.arpa.int.zone";
masters { 10.0.0.15; };
};
zone "1.17.172.in-addr.arpa" {
type slave;
file "/etc/namedb/slave/1.17.172.in-addr.arpa.ssl-vpn.zone";
masters { 10.0.0.15; };
};
zone "2.17.172.in-addr.arpa" {
type slave;
file "/etc/namedb/slave/2.17.172.in-addr.arpa.dmz.zone";
masters { 10.0.0.15; };
};
zone "YY.XX.171.in-addr.arpa" {
type slave;
file
"/etc/namedb/slave/YY.XX.171.in-addr.arpa.masterdc.zone";
masters { 10.0.0.15; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
view "dmz" {
match-clients { !key TSIG-KEY; internal; datacentre; };
recursion yes;
allow-query { dmz; };
zone "DOMAIN01.eu" {
type slave;
file "/etc/namedb/slave/DOMAIN01.eu.dmz.zone";
masters { 10.0.0.15; };
};
zone "2.17.172.in-addr.arpa" {
type slave;
file "/etc/namedb/slave/2.17.172.in-addr.arpa.dmz.zone";
masters { 10.0.0.15; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
view "external" {
match-clients { key TSIG-KEY.; internal; datacentre; };
allow-query { any; };
zone "DOMAIN01.eu" {
type slave;
file "/etc/namedb/slave/DOMAIN01.eu.ext.zone";
masters { 10.0.0.15; };
};
zone "DOMAIN02.net" {
type slave;
file "/etc/namedb/slave/DOMAIN02.net.ext.zone";
masters { 10.0.0.15; };
};
zone "DOMAIN03.net" {
type slave;
file "/etc/namedb/slave/DOMAIN03.net.ext.zone";
masters { 10.0.0.15; };
};
zone "YY.XX.171.in-addr.arpa" {
type slave;
file "/etc/namedb/slave/YY.XX.171.in-addr.arpa.ext.zone";
masters { 10.0.0.15; };
};
///////////////// SECURITY BLOCK /////////////////
...
OMITTED
...
};
logging {
...
OMITTED
...
};
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Offerte all inclusive in Romagna. Speciale Agosto da Euro 480,00 Speciale
Settembre da Euro 295. Terzo letto Gratis e Quarto scontato al 50%
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12601&d=20120824
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Offerte all inclusive in Romagna.Speciale Agosto da Euro 480,00 Speciale Settembre da Euro 295,00. Terzo letto Gratis e Quarto scontato al 50%
*
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12546&d=24-8
More information about the bind-users
mailing list