using $INCLUDE with views

Bill Moseley moseley at hank.org
Mon Oct 9 17:35:47 UTC 2006 

On Mon, Oct 09, 2006 at 07:12:26PM +0300, Stefan Puiu wrote:
> your post is a bit confusing, since you seem to be mixing up views
> with master/slave operation - the two are different issues, as Barry
> pointed out.

No, I don't think I'm mixing them up.  I'm using the views so my
internal LAN sees a (slightly) different zone than the rest of the
world.

What I did do *in error* was copy my master's zone file to the slave
as a template and then modified it as the slave. I, for some crazy
reason, left in the views in the slave but changed each zone to "type
slave".

So, what seems to have happened is when I updated the master the save
would see the notification, but then only reloaded its "internal" view
and not the "external" view.  So, requests to that slave from external
sources never say the updated zone.  Oops.

It was that mistake along with the issue below that made me wonder
about how the serial number is tested with views (when used correctly
in the master, that is).

It's not worth discussion since it's an error that has now been
corrected.

> >I moved the SOA out of the common file and into each of the two zone
> >files and then it worked fine.
> >
> >Was that because I had two zone files (for the same domain) with the
> >same SOA serial number?
> 
> One thing that comes to my mind is that the SOA has to be the first
> record in any zone file. So if you $include the SOA file at the end of
> one of the zones, for example, it won't work. Check your system logs
> for any complaints from BIND.

Nothing was reported in the logs other than normal startup and
transfer notifications.  And the SOA was the first record in the
included file.


That is, the zones looked like this:

    ; Hank.org external zone file
    $INCLUDE /etc/bind/hank.org.common

                    ; External zone sees extra NS servers
                    1D IN NS        ns1.twisted4life.com.
                    1D IN NS        lucifer.logilune.com.



    ; Hank.org internal zone file
    $INCLUDE /etc/bind/hank.org.common

                    ; Internal Zone sees internal machines
    bumby           1D IN NS        192.168.1.22
    ap              1D IN NS        192.168.1.10
    dev1            1D IN NS        192.168.1.4

And the hank.org.common file starts like this (SOA is first record):

@                   1D IN SOA       ns1      root (
                                    2006100806      ; serial
                                    6H              ; refresh
                                    1H              ; retry
                                    1W              ; expiry
                                    1D )            ; minimum

                    ;; hank.org's IP number
                    1D IN A         63.205.225.170
                    [... more records common to both zones ...]



When done that way bind starts normally with no errors in the logs,
and on the internal LAN I can run:

    $ dig axfr @63.205.225.170 hank.org

and see the "internal" zone, but when run on a remote
machine I get:

    $ dig axfr @63.205.225.170 hank.org

    ; <<>> DiG 9.2.4 <<>> axfr @63.205.225.170 hank.org
    ;; global options:  printcmd
    ; Transfer failed.

Putting the SOA in *each* zone file solved that problem and I can now
axfr from a remote machine.

But, I think it makes sense that the SOA would have to be in the zone
file and not the $included one -- as any changes in the top zone file
would require a serial number bump, and, of course, changes can happen
in the internal view of a zone and not in the external view.



-- 
Bill Moseley
moseley at hank.org

More information about the bind-users mailing list