Multi-home IP address on master NS for Split DNS and multiple views on slave?
Kevin Darcy
kcd at chrysler.com
Thu Dec 4 03:00:59 UTC 2008
will wrote:
> For bureaucratic reasons I can not multi-home the slave name server;
> however, I can multi-home the master name server.
>
> I understand from reading the 'DNS for Rocket Scientist' that when
> using a 'view' statement to setup a split DNS to control visibility
> that the slave servers for each zone will be resolved in the context
> of the first view that it matches, based on its IP address. However,
> if I multi-home or 'alias' the IP address on the 'slave' NS we can get
> the multiple views of the same zone.
>
> Will the logic still work no matter if the destination or source ip
> addresses differ?
>
> Can we multi-home the master name server instead, and the slaves still
> get the multiple views (as long as the 'notify-source' is a different
> ip address)?
>
>
As per the ARM, one can select views based on
a) source address ("match-clients" with address parameter(s)), and/or
b) destination address ("match-destinations" with address parameter(s)),
and/or
c) TSIG key ("match-clients" or "match-destinations" with key
parameter(s)), and/or
d) the setting of the RD (Recursion Desired) bit on the request
("match-recursive-only")
Since apparently you can't vary the source address of the slave's
requests, and RD is irrelevant for zone transfers -- it's always off --
it seems that (b) and/or (c) are your remaining options.
Note that selecting views via TSIG keys also has the additional benefits of
(1) protecting against most forms of address spoofing, and
(2) greater flexibility in re-addressing nameservers
The main downside is that TSIG requires some extra up-front
configuration, to generate and install the keys.
- Kevin
More information about the bind-users
mailing list