bind views and AXFR

Hays, Ken hays at otc.fsu.edu
Wed Aug 20 23:36:46 UTC 2008


Use of TSIG keys can make it quite straight forward. 

One comment wrt the BIND ARM discussion of TSIG - 
The keys are not sensitive to what network addresses are used. 
I am using two keys (one for each view) to control transfers from 
a master to two slaves. Exercise care putting the 
 allow-transfer { key keyname ; } ; and 
 server IP.AD.DRE.SS { key keyname ; } ; 
in the views to have each view able to transfer from the master.

Good-luck, Ken 

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Petersen, Kirsten J - NET
Sent: Wednesday, August 20, 2008 5:49 PM
To: bind-users at isc.org
Subject: bind views and AXFR

I may already know the answer to this, but I'm looking for some
confirmation.  Is it not possible to do bind views via a slave server?
In other words, does AXFR just transfer the view that the slave can see
and nothing more?

We have an in-house application that we use to build our dns configs.
I'd like to be able to build to a master server and then have the slaves
do AXFR to get updates from it.  The alternative is to push new zone
files out to the name servers directly and do reloads all the time,
which seems more dangerous.  In the first scenario, if we do something
that causes named on the master to fail to start, at least the slaves
will still be answering queries.

However, we were also hoping to implement views so that we can hide dns
for our private address space from the world.  But I'm thinking now that
I can't do both of these things.

Suggestions welcome.  :)

________________
Kirsten Petersen
Network Services * Oregon State University
http://oregonstate.edu/net * irc.oregonstate.edu #osu-is
"Paper doesn't grow on trees."





More information about the bind-users mailing list