LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-11-2010, 01:33 AM   #1
gdanko
LQ Newbie
 
Registered: Feb 2007
Posts: 28

Rep: Reputation: 15
bind9 zone transfer weirdness


I am working in on a bind scenario where the master is in one colo and the two slaves are in another.

If I ping the slaves I get their private IPs.

However, when I try to notify the slaves, the notifies are being sent to the public IPs of the slaves. Now I am using int and ext views.

How does bind determine the IP to send the notifies to?

ex: ns2 external view is 216.1.1.5 and ns2 internal view is 10.1.240.24

When bind goes to send a notify to ns2, how is the IP determined? Does it look up against itself? Does it use the nameservers in /etc/resolv.conf?
 
Old 07-11-2010, 02:31 AM   #2
zirias
Member
 
Registered: Jun 2010
Posts: 361

Rep: Reputation: 59
AFAIK, it uses the zone's NS records to determine the slaves to send notifies about that zone. That gets a little complicated when using views and transferring external as well as internal views (for example if the slaves are connected via vpn).

After trying a lot, I ended up with setting "notify explicit" on all my master zones to disable the automatic determination of slaves and then add the slaves' ip address in "also-notify". That way, the notify is always sent to the address I wanted, BUT it will never transfer zones in the external view, so the next step is to introduce a key for the external view, e.g.
Code:
key "external" {
        algorithm       hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXX==";
};
and add a "!key external;" to the top of the match-specs for the internal view as well as a "key external;" for the external view and additionally for each slave:
Code:
server <slave-ip> {
        keys    external;
};
So, the slave will get the external view when using this key even on the internal interface for AXFR/IXFR.
 
Old 07-13-2010, 03:56 PM   #3
gdanko
LQ Newbie
 
Registered: Feb 2007
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks, zirias. Makes sense but I have a couple questions.

Is the "key" definition configured in the external view, under "view external {"?

Is is on both the master and slave view definitions?

And the "server <slave-ip> {" directive, is that in the external view on the master only?
 
Old 07-13-2010, 04:06 PM   #4
gdanko
LQ Newbie
 
Registered: Feb 2007
Posts: 28

Original Poster
Rep: Reputation: 15
This is what my config looks like now.

Master:

view "external" {
key "external" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXX==";
};

server xxx.xxx.xxx.xxx {
keys external;
};

match-clients {
key external;
any;
};
recursion no;

zone "mydomain.com" {
type master;
file "/etc/bind/external/db.mydomain.com";
allow-transfer {
any;
};
};
};

Slave:

view "external" {
key "external" {
algorithm hmac-md5;
secret "1XXXXXXXXXXXXXXXXXXXXXX==";
};

match-clients {
any;
};
recursion no;
transfer-source xxx.xxx.xxx.xxx;

zone "mydomain.com" {
type slave;
masters {
yyy.yyy.yyy.yyy;
};
file "/etc/bind/external/db.mydomain.com";
allow-transfer {
none;
};
};
};
 
Old 07-13-2010, 04:30 PM   #5
zirias
Member
 
Registered: Jun 2010
Posts: 361

Rep: Reputation: 59
short answer: no. At least, I have it outside the zone sections. It is just a named key (here its name is "external"), that is later referenced in the views by this name.

This is my config (with secret hashes replaced by X) for reference, it is used in a scenario where two nameservers are connected via VPN, wit internal and external view and some zones owned (master) by the one, some by the other. It took quite a while to get it working

Code:
options {
        directory "/var/cache/bind";

        auth-nxdomain no;    # conform to RFC1035

        listen-on { any; };
        listen-on-v6 { any; };

        allow-transfer {
                192.168.91.0/24;
        };
        request-ixfr    yes;
        allow-recursion {
                127.0.0.0/8;
                192.168.0.0/16;
                2001:6f8:13ba::/48;
                2a01:198:49d::/48;
                2a01:198:200:3d7::2;
        };
};

key "key" {
        algorithm       hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "key"; };
};

key "external" {
        algorithm       hmac-md5;
        secret "XXXXXXXXXXXXXXXXXXXXXX==";
};

view "internal" {
        match-clients {
                !key external;
                127.0.0.0/8;
                192.168.0.0/16;
                2001:6f8:13ba::/48;
                2a01:198:49d::/48;
                2a01:198:200:3d7::2;
        };

        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "localhost." {
                type master;
                file "/etc/bind/db.local";
                notify no;
        };

        zone "127.in-addr.arpa." {
                type master;
                file "/etc/bind/db.127";
                notify no;
        };

        zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." {
                type master;
                file "/etc/bind/db.::";
                notify no;
        };

        zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int." {
                type master;
                file "/etc/bind/db.::";
                notify no;
        };

        zone "0.in-addr.arpa." {
                type master;
                file "/etc/bind/db.0";
                notify no;
        };

        zone "255.in-addr.arpa." {
                type master;
                file "/etc/bind/db.255";
                notify no;
        };

        zone "home.palmen-it.de." {
                type master;
                file "/etc/bind/db.lan";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "168.192.in-addr.arpa." {
                type master;
                file "/etc/bind/db.rev-lan";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "palmen.homeip.net." {
                type master;
                file "/etc/bind/db.dyndns";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "barock-ter.mine.nu." {
                type master;
                file "/etc/bind/db.dyndns";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "mini-chat.ath.cx." {
                type master;
                file "/etc/bind/db.dyndns";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "zirias.ath.cx." {
                type master;
                file "/etc/bind/db.dyndns";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "a.b.3.1.8.f.6.0.1.0.0.2.ip6.arpa." {
                type master;
                file "/etc/bind/db.2001:6f8:13ba";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "a.b.3.1.8.f.6.0.1.0.0.2.ip6.int." {
                type master;
                file "/etc/bind/db.2001:6f8:13ba";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "d.9.4.0.8.9.1.0.1.0.a.2.ip6.arpa." {
                type slave;
                masters { 192.168.91.1; };
                file "slave/db.2a01:198:49d.int.arpa";
                allow-notify { 192.168.91.1; };
                notify no;
        };

        zone "d.9.4.0.8.9.1.0.1.0.a.2.ip6.int." {
                type slave;
                masters { 192.168.91.1; };
                file "slave/db.2a01:198:49d.int.int";
                allow-notify { 192.168.91.1; };
                notify no;
        };
};

view "external" {
        match-clients {
                key     external;
                any;
        };
        server 192.168.91.1 {
                keys    external;
        };

        zone "home.palmen-it.de." {
                type master;
                file "/etc/bind/db.xdns.ext";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "a.b.3.1.8.f.6.0.1.0.0.2.ip6.arpa." {
                type master;
                file "/etc/bind/db.2001:6f8:13ba.ext";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "a.b.3.1.8.f.6.0.1.0.0.2.ip6.int." {
                type master;
                file "/etc/bind/db.2001:6f8:13ba.ext";
                notify explicit;
                also-notify { 192.168.91.1; };
        };

        zone "d.9.4.0.8.9.1.0.1.0.a.2.ip6.arpa." {
                type slave;
                masters { 192.168.91.1; };
                file "slave/db.2a01:198:49d.arpa";
                allow-notify { 192.168.91.1; };
                notify no;
        };

        zone "d.9.4.0.8.9.1.0.1.0.a.2.ip6.int." {
                type slave;
                masters { 192.168.91.1; };
                file "slave/db.2a01:198:49d.int";
                allow-notify { 192.168.91.1; };
                notify no;
        };
};
Of course, this is only ONE side of the config -- the other is very similar, basically the "master" and "slave" roles for the individual zones exchanged.

Last edited by zirias; 07-13-2010 at 04:32 PM.
 
Old 07-13-2010, 05:06 PM   #6
gdanko
LQ Newbie
 
Registered: Feb 2007
Posts: 28

Original Poster
Rep: Reputation: 15
Figured it out from the FAQ I love TSIG

http://www.bind9.net/BIND-FAQ
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind9 Zone Transfer Issues lomax0990 Linux - Server 6 10-23-2009 01:46 AM
Windows 03 DNS zone transfer to BIND9 on Suse 10 Enterprise clincoln Linux - Networking 11 08-15-2008 01:03 AM
bind9 zone file question r3gan Linux - Software 6 06-18-2008 05:49 PM
shared zone file in bind9 matiasquestions Linux - Server 2 04-04-2008 09:02 AM
DNS Zone x-fer - From one zone to another / Debian 3.1 + BIND9 kenwoodgt Linux - Software 0 11-01-2006 10:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration