DNS views TSIG and zone xfers
project722
project722 at gmail.com
Thu Aug 25 22:14:12 UTC 2016
I have successfully setup TSIG keys for "views" using a DNS master/server
pair. Zone transfers are working as expected between the 2 servers for each
view. Before we go live into production with this I need some clarification
on a couple things. Our prod servers are also allowing zone transfers to a
few other servers besides the slave server. We have an acl setup that looks
similar to this:
other_xfer_allowed_ns {
x.x.x.x; // This is our Secondary DNS server
127.0.0.1; // localhost can make zone transfers
x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
}; // end of "other_xfer_allowed" ACL
And in the "allow transfer" statement we have included that ACL. My
question is:
Now that we are using TSIG, will I need to get with the admins of all these
other servers and provide them my TSIG key so they can request zone
transfers? I would think somehting like that needs to be done since it was
required to be configured on slave server, but I am not sure. I'd rather do
an IP based control just for these other servers instead of TSIG but I am
not sure how that would look or how to set that up in the context of my
config. How can I tell my conf to NOT force these other xfer allowed
servers to use TSIG and use IP only? This gets complicated when you start
throwing views into the mix.
acl internal {
192.168.200.0/24; // corpnet
};
acl external {
192.168.201.0/24;
192.168.202.0/24;
};
other_xfer_allowed_ns {
x.x.x.x; // This is our Secondary DNS server
127.0.0.1; // localhost can make zone transfers
x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
}; // end of "other_xfer_allowed" ACL
key "tsigkey" {
algorithm HMAC-SHA512;
secret "xxxxxxxxx";
};
key "tsigkeyext" {
algorithm HMAC-SHA512;
secret "xxxxxxxxxx";
};
view "corpnet" {
match-clients { internal; key tsigkey;
};
//IP of slave server
server 192.168.173.78 {
keys { tsigkey; };
};
also-notify {
192.168.173.78;
};
zone "." IN {
type hint;
file "named.ca";
};
zone"internalzone1.com" IN {
type master;
file "internalzone1.com";
allow-transfer { key tsigkey; };
};
zone"sharedzone.com" IN {
type master;
file "sharedzone1.com";
allow-transfer { key tsigkey; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view "external" {
match-clients { external; key tsigkeyext; };
//IP of slave server
server 192.168.173.78 {
keys { tsigkeyext; };
};
also-notify {
192.168.173.78;
};
zone "." IN {
type hint;
file "named.ca";
};
zone"externalzone1.com" IN {
type master;
file "externalzone1";
allow-transfer { key tsigkeyext; };
zone"sharedzone.com" IN {
type master;
file "sharedzone2.com";
allow-transfer { key tsigkeyext; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160825/355cf250/attachment.html>
More information about the bind-users
mailing list