Problem with internal/external VIEWs
Mark Andrews
marka at isc.org
Tue Jul 6 00:55:07 UTC 2021
If you want the content to be the same in both views and to be dynamically updatable then use
view view1 {
zone example.com {
type primary;
[ allow-update / update-policy ] { … };
…
};
};
view view2 {
zone example.com { in-view “view1”; };
};
If you want the zone content to be different then use different file names for the zone
and use different TSIG names to select views for NOTIFY, UPDATE, and AXFR.
key view1-update-example.com { … };
key view2-update-example.com { … };
key view1-xfr-example.com { … };
key view2-xfr-example.com { … };
view view1 {
match-clients {
view1-update-example.com; !view2-update-example.com;
view1-xfr-example.com; !view2-xfr-example.com;
…
};
server <secondary> {
key view1-xfr-example.com; // so NOTIFY goes to the correct view
};
zone example.com {
type primary;
allow-update { view1-update-example.com; }; // or update-policy
allow-transfer { view1-xfr-example.com; };
file “view1/example.com.db”;
};
};
view view2 {
match-clients {
!view1-update-example.com; view2-update-example.com;
!view1-xfr-example.com; view2-xfr-example.com;
…
};
server <secondary> {
key view1-xfr-example.com; // so NOTIFY goes to the correct view
};
zone example.com {
type primary;
allow-update { view2-update-example.com; }; // or update-policy
allow-transfer { view2-xfr-example.com; };
file “view2/example.com.db”;
};
};
and on the secondaries you
key view1-update-example.com { … };
key view2-update-example.com { … };
key view1-xfr-example.com { … };
key view2-xfr-example.com { … };
view view1 {
match-clients {
view1-update-example.com; !view2-update-example.com;
view1-xfr-example.com; !view2-xfr-example.com;
…
};
server <primary> {
key view1-xfr-example.com; // so SOA, IXFR and AXFR go to the correct view.
};
zone example.com {
type secondary;
primaries { <address-of-primary>; };
allow-transfer { view1-xfr-example.com; };
file “view1/example.com.db”;
};
};
view view2 {
match-clients {
!view1-update-example.com; view2-update-example.com;
!view1-xfr-example.com; view2-xfr-example.com;
…
};
server <primary> {
key view2-xfr-example.com; // so SOA, IXFR and AXFR go to the correct view.
};
zone example.com {
type secondary;
primaries { <address-of-primary>; };
allow-transfer { view2-xfr-example.com; };
file “view2/example.com.db”;
};
};
> On 6 Jul 2021, at 05:36, Dean Gibson (DNS Administrator) <isc at mailpen.com> wrote:
>
> Currently running Bind v9.11.4:
>
> Several years ago, I implemented multiple VIEWs using (almost) the exact example in the Reference Manual. However, I wanted the "example-internal.db" and "example-external.db" to be the same file.
>
> This worked until I wanted to have "example.com" updateable via ddns. I don't remember the exact error, but I have a note in my configuration file of "don't do that!" (use the same file). So, I removed the first zone declaration for "example.com". That was still with Bind v9, but a lesser minor version.
>
> So, the result is that I can't do a "dig -k tsig.file @localhost -t axfr example.com" from the server command line. The transfer is denied, because "match-clients" forces me into the first (internal) VIEW.
>
> The server is behind a firewall (which has a forward to the server), so "dig" works if I specify "dig -k tsig.file @ns1.example.com". Because of this, I can still use "dig" like I want on the server.
>
> However, I'd think this must be a common issue. Any resolution (like recognizing & dealing with two references to a dynamically updated file)?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list