DNS views TSIG and zone xfers

project722 project722 at gmail.com
Thu Aug 25 22:25:35 UTC 2016 

Actually, I got to thinking about this. The "other_allowed_ns" ACL is in
the global options, along with an "allow-transfer" for that ACL. So, I
*think* they will still be able to zone transfer via the global option
based on simply IP. BUT...since I have multiple views, which zones from
which views get sent over to these servers and how will they know how to
handle the info if zones from both views get sent. Would something like
this help:

allow-transfer { other_allowed_ns; view "external"; };

So they only get sent the zones from the external view?

On Thu, Aug 25, 2016 at 5:14 PM, project722 <project722 at gmail.com> wrote:

> I have successfully setup TSIG keys for "views" using a DNS master/server
> pair. Zone transfers are working as expected between the 2 servers for each
> view. Before we go live into production with this I need some clarification
> on a couple things. Our prod servers are also allowing zone transfers to a
> few other servers besides the slave server. We have an acl setup that looks
> similar to this:
>
> other_xfer_allowed_ns {
> x.x.x.x; // This is our Secondary DNS server
> 127.0.0.1; // localhost can make zone transfers
> x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> }; // end of "other_xfer_allowed" ACL
>
> And in the "allow transfer" statement we have included that ACL. My
> question is:
>
> Now that we are using TSIG, will I need to get with the admins of all
> these other servers and provide them my TSIG key so they can request zone
> transfers? I would think somehting like that needs to be done since it was
> required to be configured on slave server, but I am not sure. I'd rather do
> an IP based control just for these other servers instead of TSIG but I am
> not sure how that would look or how to set that up in the context of my
> config. How can I tell my conf to NOT force these other xfer allowed
> servers to use TSIG and use IP only? This gets complicated when you start
> throwing views into the mix.
>
> acl internal {
>     192.168.200.0/24; // corpnet
>     };
>
>     acl external {
>     192.168.201.0/24;
>     192.168.202.0/24;
>     };
>
>
>  other_xfer_allowed_ns {
> x.x.x.x; // This is our Secondary DNS server
> 127.0.0.1; // localhost can make zone transfers
> x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers
> }; // end of "other_xfer_allowed" ACL
>
>
>     key "tsigkey" {
>     algorithm HMAC-SHA512;
>     secret   "xxxxxxxxx";
>     };
>
>     key "tsigkeyext" {
>     algorithm HMAC-SHA512;
>     secret  "xxxxxxxxxx";
>     };
>
>
>     view "corpnet" {
>       match-clients { internal; key tsigkey;
>     };
>
>       //IP of slave server
>       server 192.168.173.78 {
>       keys { tsigkey; };
>     };
>
>       also-notify {
>           192.168.173.78;
>     };
>
>       zone "." IN {
>       type hint;
>       file "named.ca";
>     };
>
>       zone"internalzone1.com" IN {
>       type master;
>       file "internalzone1.com";
>       allow-transfer { key tsigkey; };
>     };
>
>       zone"sharedzone.com" IN {
>       type master;
>       file "sharedzone1.com";
>       allow-transfer { key tsigkey; };
>     };
>
>      include "/etc/named.rfc1912.zones";
>       include "/etc/named.root.key";
>     };
>
>
>     view "external" {
>       match-clients { external; key tsigkeyext; };
>
>       //IP of slave server
>       server 192.168.173.78 {
>       keys { tsigkeyext; };
>     };
>
>        also-notify {
>           192.168.173.78;
>     };
>
>         zone "." IN {
>         type hint;
>         file "named.ca";
>     };
>
>         zone"externalzone1.com" IN {
>         type master;
>         file "externalzone1";
>         allow-transfer { key tsigkeyext; };
>
>         zone"sharedzone.com" IN {
>         type master;
>         file "sharedzone2.com";
>         allow-transfer { key tsigkeyext; };
>      };
>         include "/etc/named.rfc1912.zones";
>         include "/etc/named.root.key";
>      };
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160825/b09dc4d5/attachment-0001.html>

More information about the bind-users mailing list