Disabling RPZ for a few clients / views sharing zones
Chuck Anderson
cra at WPI.EDU
Thu Feb 6 20:10:03 UTC 2014
On Thu, Feb 06, 2014 at 09:50:26AM -0800, Doug Barton wrote:
> On 02/06/2014 06:27 AM, Chuck Anderson wrote:
> >I was kinda hoping that newer
> >versions of BIND could share zones (with identical zone contents)
> >between views without requiring the messy multiple IP alias setup.
>
> You have always been able to do this with include files.
I'm not sure how this helps. If you do this:
named.conf:
view "no-rpz" {
match-clients { 192.168.1.1; };
zone "example.com" {
type slave;
file "/var/named/slaves/example.com.zone";
masters { 10.0.0.1; };
};
};
view "global" {
match-clients { any; };
response-policy { zone "rpzip.example.com"; };
zone "rpzip.example.com" {
type slave;
file "/var/named/slaves/rpzip.example.com.zone";
masters { 10.0.0.2; };
};
zone "example.com" {
type slave;
file "/var/named/slaves/example.com.zone";
masters { 10.0.0.1; };
};
};
Then the "global" view sees updates to example.com quickly, as soon as
NOTIFY is sent by the master and the zone is transferred. However,
the "no-rpz" view doesn't see changes to example.com in a timely
manner. I've had to wait awhile (SOA refresh) for new records to
appear and old records to disappear from the "no-rpz" view's
example.com zone.
I don't see how changing it to use includes helps the matter any:
named.conf.example.com:
zone "example.com" {
type slave;
file "/var/named/slaves/example.com.zone";
masters { 10.0.0.1; };
};
named.conf:
view "no-rpz" {
match-clients { 192.168.1.1; };
include "named.conf.example.com";
};
view "global" {
match-clients { any; };
response-policy { zone "rpzip.example.com"; };
zone "rpzip.example.com" {
type slave;
file "/var/named/slaves/rpzip.example.com.zone";
masters { 10.0.0.2; };
};
include "named.conf.example.com";
};
Maybe I'm missing something.
More information about the bind-users
mailing list