One zone in 2 views

Evan Hunt each at isc.org
Thu Sep 26 15:02:15 UTC 2013 

On Thu, Sep 26, 2013 at 06:37:30PM +1200, Michael Ludvig wrote:
> Hi
> 
> I've got two nameservers (ns1 master, ns2 slave) each with 2 views
> (internal, external) and a number of zones.
> 
> At the moment I'm serving all zones to internal view but would like to
> have some zones served to external clients as well.
> 
> I've got two questions:
> 
> 1) If I have different example.com in internal and external view on ns1
> (master) can I mirror them both to ns2's internal and external views?
> Right now I can only do the internal and have no idea how to mirror the
> external to ns2. Is it possible at all?

Yes. You set up a TSIG key for the purpose, and configure ns1 like this:

   view internal {
       match-clients { !key ext-key; localhost; localnets; };
       ...
   };

   view external {
       match-clients { any; };
   };

So then messages from your local network would go to the internal
view *unless* they were signed with ext-key, which would cause the
match to fail and the message would go to the external view instead.

On ns2, you'll set up the zone (for the external view) like this:

   zone example.com {
       type slave;
       masters { 1.2.3.4 key ext-key; };
       ...
   };

... which means that transfer requests from ns1 will be signed with
ext-key, and will reach the external view on ns1.  In the internal view,
you leave out the "key ext-key" part, and zone transfer requests will go to
the internal view.

> 2) I've got pub.example.com that should be the same in internal and
> external view. We automatically update this zone with nsupdate.
> The slave (ns2) can see the master's internal view and mirrors the zone,
> so I guess I can mirror it in the internal view and somehow make the
> same zone-file available in ns2's external view. How do I do that?
> Should it have a "type master" (but it's not a master) or slave (it's
> not being axfr'ed in the external view though).

You can actually use the same trick as above to have zones transfer from
one view to another within the same server.  Put a master in external
and a slave in internal, and have the slave use "key ext-key" in its
masters statement.

BIND 9.10 is going to include the ability to reference the same
zone from more than one view, sparing the need to keep two copies in
memory and deal with intra-server zone transfers.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list