dynamic update of split view acl

/dev/rob0 rob0 at gmx.co.uk
Sat Feb 28 14:27:47 UTC 2015 

On Sat, Feb 28, 2015 at 04:27:36AM -0800, Matt Calder wrote:
> I'm running BIND 9.9.5-3 on Ubuntu 14.04.1.
> 
> I'm trying to figure out how to change the match-clients prefixes 
> in a view without having to restart BIND or do full config reload. 
> My actual BIND config has many views and restarts can take several 
> minutes.

Did you try "rndc reconfig"?  That might be a bit faster because it 
doesn't reload zones.

> Here is my simple test set up.

Unfortunately HTMLified by your MUA.

> *view "view1" {    match-clients { 204.57.0.0/24
> <http://204.57.0.0/24>; 204.57.5.0/24 <http://204.57.5.0/24>; };    zone
> "domaintest.com <http://domaintest.com/>" in {        type master;
> file "/etc/bind/view1.zone";    };};view "view2" {    match-clients
> { 216.55.18.0/24 <http://216.55.18.0/24>; };    zone "domaintest.com
> <http://domaintest.com/>" in {        type master;        file
> "/etc/bind/view2.zone";    };};*

I'd recommend using acl statements:

#v+
# here I am naming each component network
# (use names that make sense to you)
acl "net-57-0" { 204.57.0.0/24; };
acl "net-57-5" { 204.57.5.0/24; };
acl "net-216-55-18" { 216.55.18.0/24; };
# and then I build the composite networks per view
acl "view1" { net-57-0; net-57-5; };
acl "view2" { net-216-55-18; };

# That done, use the composites as match-clients:

view "view1" {
	match-clients { view1; };
	... (other view stuff) ...
};

view "view2" {
	match-clients { view2; };
	... (other view stuff) ...
};
#v-

> Say I move 204.57.0.0/24 from view1 to view2, my hope was that I 
> could simply do
> 
> 
> *$ rndc reload domaintest.com <http://domaintest.com/> in view1
> $ rndc reload domaintest.com <http://domaintest.com/> in view2*
> 
> and match-clients would also be updated but this doesn’t work.
> I increment the serial of view1.zone and view2.zone, but 
> 204.57.0.0/24 is still matched by view1. Is there any way to 
> accomplish this?

Right.  So you redo your acl statements and do "rndc reconfig".

The acls are simply there to make it easier to manage.  The real 
answer is reconfig.  That will work even without acls.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list