Views and two servers

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Sat Mar 2 10:46:16 UTC 2002 

Hawkins, Michael <MHawkins at tullib.com> wrote:

> I once asked this question and foolishly did not keep the answer. Sorry
> people.

> I have two bind servers. I want them to be primary and secondary for our
> domains in a split DNS configuration so that using views any host on our
> internal network gets answers from db.domain.internal and anyone on the
> internet gets answers from db.domain.external.

Using views and beeing master/slave in the manner you describe 
is difficult.  

Views in itself is a wonderful idea, but it's not "the general solution"
to apply to every nameserver.

I recently reconfigured my own nameserver to get rid of
views and instead used classical acl to enable recusion 
for the ones needing it.

The worst case is using a servers with views, keeping a slave zone
on both outside and inside view. 

Frankly i don't think it's worth the effort.


> I once asked this question and the answer came back that I should configure
> two IP's one each machine and include one IP in the access-list for internal
> and the second IP would hit the other however...

> It does not matter how I configure the secondary it will always get the same
> DB from my primary because it always uses the same source IP to talk to the
> primary. The result is that both the internal and external DB's always end
> up the same.

> How can I configure my secondary to use one IP address for internal and one
> IP address for external domains when talking to the primary?

> My own solution, which I am trying as I write this email, is to...

> configure a totally separate subnet (outside of 172.24.1.0/24) and set the
> secondary named.conf to use the master IP that is on the separate subnet
> thereby making the secondary use the source IP of its own that was also on
> the separate subnet. This then allows the primary to see the secondary as a
> different IP so that the secondary gets replied to with the different
> database.

> Am I right? Is this the only way? Does it work? Does anyone understand what
> I'm saying?

Yes, it took me a few weeks to understand why i had the same problems as you.

In the end i removed the views and ( at least for now) think i have
a better and more manageble nameserver solution for my current setup.





> Thanks

> Mike H



>> -----Original Message-----
>> From:	Mark_Andrews at isc.org [SMTP:Mark_Andrews at isc.org]
>> Sent:	Friday, March 01, 2002 5:43 AM
>> To:	Joaquin J. Domens
>> Cc:	bind
>> Subject:	Re: [BIND 8.3.1]Strange zone resolution 
>> 
>> 
>> > Hi all,
>> > 
>> > I'm having a strange issue with a zone that it's autorithative for us;
>> > ole.com.
>> > 
>> > It's registered in Interdomain for our dns's:
>> > 
>> > DNS1.TERRA.ES                       195.235.96.89
>> > TELELINE.TELELINE.ES          194.224.53.3 (this is an old interface)
>> > 
>> > In our machine it's configured
>> > 
>> > ole.com.                1D IN NS        dns1.terra.es.
>> > ole.com.                1D IN NS        dns2.terra.es.
>> > dns1.terra.es.          1D IN A         195.235.96.89
>> > dns2.terra.es.          1D IN A         195.235.96.90
>> 
>> 	Firstly make the NS records match those you have told the
>> 	parent zone about.  Mismatching NS RRsets cause problems.
>> 
>> > 
>> > 
>> > The strange thing is that locally it resolves the domain Ok, but if  I
>> > query outside dns's I have no response:
>> > 
>> > tdns1:/var/named>dig any ole.com
>> > 
>> > ; <<>> DiG 8.3 <<>> any ole.com
>> > ;; res options: init recurs defnam dnsrch
>> > ;; got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
>> > ;; QUERY SECTION:
>> > ;;      ole.com, type = ANY, class = IN
>> > 
>> > ;; ANSWER SECTION:
>> > ole.com.                1D IN MX        10 smtp.ole.com.
>> > ole.com.                1D IN NS        dns1.terra.es.
>> > ole.com.                1D IN NS        dns2.terra.es.
>> > ole.com.                1D IN SOA       dns1.terra.es.
>> > dnsadmin.corp.terra.es. (
>> >                                         2002022800      ; serial
>> >                                         1H              ; refresh
>> >                                         30M             ; retry
>> >                                         1W              ; expiry
>> >                                         12H )           ; minimum
>> > 
>> > 
>> > ;; AUTHORITY SECTION:
>> > ole.com.                1D IN NS        dns1.terra.es.
>> > ole.com.                1D IN NS        dns2.terra.es.
>> > 
>> > ;; ADDITIONAL SECTION:
>> > smtp.ole.com.           1D IN A         195.235.113.142
>> > dns1.terra.es.          1D IN A         195.235.96.89
>> > dns2.terra.es.          1D IN A         195.235.96.90
>> > 
>> > ;; Total query time: 3 msec
>> > ;; FROM: tdns1 to SERVER: default -- 195.235.113.3
>> > ;; WHEN: Fri Mar  1 10:45:29 2002
>> > ;; MSG SIZE  sent: 25  rcvd: 218
>> >
>> ------------------------------------------------------------------------
>> > 
>> > But if i query outsiode dns's ...........
>> > 
>> > tdns1:/var/named>dig any @dns.eresmas.com ole.com
>> > 
>> > ; <<>> DiG 8.3 <<>> any @dns.eresmas.com ole.com
>> > ; (1 server found)
>> > ;; res options: init recurs defnam dnsrch
>> > ;; got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
>> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> > ;; QUERY SECTION:
>> > ;;      ole.com, type = ANY, class = IN
>> > 
>> > ;; AUTHORITY SECTION:
>> > com.                    2h21m19s IN SOA  A.GTLD-SERVERS.NET.
>> > nstld.verisign-grs.com. (
>> >                                         2002022801      ; serial
>> >                                         30M             ; refresh
>> >                                         15M             ; retry
>> >                                         1W              ; expiry
>> >                                         1D )            ; minimum
>> > 
>> > 
>> > ;; Total query time: 17 msec
>> > ;; FROM: tdns1 to SERVER: dns.eresmas.com  62.81.160.250
>> > ;; WHEN: Fri Mar  1 10:50:43 2002
>> > ;; MSG SIZE  sent: 25  rcvd: 98
>> >
>> ------------------------------------------------------------------------
>> > 
>> > Any idea on this subject???¿?¿?
>> 
>> 	Talk to Network Solutions.  OLE.COM does not appear in the COM
>> 	zone any they are who you have your contract with.
>> 
>> 	Mark
>> > 
>> >             Cheers
>> > 
>> > --
>> > --------------------------------------------------
>> > Joaquin J. Domens
>> > Área de Tecnología
>> > Departamento de Producción / Aplicaciones
>> > --------------------------------------------------
>> > Terra Networks España S.A.
>> > --------------------------------------------------
>> > Mercado Continuo: TRR |  Nasdaq: TRLY
>> > --------------------------------------------------
>> > http://www.terra.es
>> > --------------------------------------------------
>> > 
>> > 
>> > 
>> > 
>> --
>> Mark Andrews, Internet Software Consortium
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>> 
>> 
> <<Disclaimer>>

> This electronic mail is intended only for the use of the addressee(s) named
> herein. Unless otherwise specifically stated, the views contained and
> expressed in this electronic mail are strictly those of the individual
> sender and are not the views of the Company or any of its Directors or other
> employees. If you are not the intended recipient of this electronic mail,
> you are hereby notified that any dissemination, distribution or coping of
> this electronic mail is strictly prohibited. If you received this electronic
> mail in error please immediately notify us by return electronic mail and
> delete this electronic mail from your system. 


-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.

More information about the bind-users mailing list