Views not matching for zone transfers, work otherwise
Chris Cameron
chris at upnix.com
Thu Jun 24 01:52:29 UTC 2004
First of all, I'd like to say I've read the FAQ.
Put as simply as possible, I have 2 views. One resolves internal
addresses for a domain, one resolves external addresses for the same
domain.
Normal DNS queries get into their proper views just fine. Internal IPs
get internal resolution, external IPs get external IPs.
However, when it comes to zone transfers everything tries to get into
the external view, and if allowed, will return the external views
domain, regardless of what I do.
Even if I explicitly state exact IPs in the views (with match-clients);
exact IP listed in the right view, denied in the wrong one, I just get
"Transfer Failed". I've verified with tcpdump and the proper IPs are
the ones being used to retrieve the zones.
Is there a known trick I'm missing here?
More detailed explanation:
Have a domain that has 2 views for internal resolving and external
resolving. To do this I have three DNS servers. One is the external
primary master, one is the internal slave, and the third is the
internal master and external slave.
Works fine except for when it comes to zone transfers, where the master
for the internal domain won't make it into the internal view, and tries
to send me the external slave zone.
Should note that all the zone transfers are done internally. The
external DNS is accessed via static NAT.
192.168.121.10 - Internal Master (Same server as below)
192.168.121.11 - External Slave
192.168.120.10 - External Master
192.168.120.50 - Internal Slave
named.conf on 192.168.121.10/11:
-------------------
include "/etc/rndc.key";
options {
directory "/var/named";
version "";
listen-on { any; };
};
acl clients {
192.168.121.0/24;
192.168.120.0/24;
localhost;
};
logging {
category lame-servers { null; };
};
view "internal-resolve" {
match-clients { !192.168.120.10; !192.168.121.11; clients; };
match-recursive-only yes;
notify-source 192.168.121.10;
transfer-source 192.168.121.10;
query-source address 192.168.121.10;
// allow-transfer {
// 192.168.120.50;
// };
zone "domain.com" {
type master;
file "local/db.domain.com";
};
};
view "external-resolve" {
match-clients { 192.168.120.10; any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
notify-source 192.168.121.11;
transfer-source 192.168.121.11;
query-source address 192.168.121.11;
// allow-transfer {
// 192.168.120.10;
// };
zone "domain.com" {
type slave;
masters { 192.168.120.10; };
file "slave/bak.domain.com";
};
};
named.conf on 192.168.120.50:
-------------------
options {
directory "/namedb";
};
...
view "internal-resolve" {
match-clients { !192.168.121.11; any; };
match-recursive-only yes;
notify-source 192.168.120.50;
transfer-source 192.168.120.50;
query-source address 192.168.120.50;
zone "domain.com" in {
type slave;
file "bak.domain.com";
masters { 192.168.121.10; };
};
};
On 192.168.120.50:
</opt/named/namedb> $ dig @192.168.121.10 domain.com axfr
; <<>> DiG 9.2.2 <<>> @192.168.121.10 domain.com axfr
;; global options: printcmd
... Lists external zone ...
;; Query time: 37 msec
;; SERVER: 192.168.121.10#53(192.168.121.10)
;; WHEN: Wed Jun 23 19:29:32 2004
;; XFR size: 21 records
</opt/named/namedb> $
</opt/named/namedb> $ host www.domain.com 192.168.121.10
Using domain server:
Name: 192.168.121.10
Address: 192.168.121.10#53
Aliases:
www.domain.com has address 192.168.120.10
</opt/named/namedb> $
Using 192.168.121.11 for the queries above all brings back the same
results.
So, I can only assume that the views are working because normal queries
from the same servers bring back the appropriate record. Why is it zone
transfers all try to come from the external slave?
Any help or ideas would be appreciated. I'd also gladly give more detail
if there's something I've missed here.
Running BIND 9.2.1 on 192.168.121.10/11 and BIND 9.2.2 on the other two.
Chris
--
Chris Cameron
UpNIX Internet Administrator
ardvark.upnix.net
gak.upnix.net
--
http://www.upnix.com
More information about the bind-users
mailing list