Basic setup question for a master / slave setup with views...
Jim Bucks
jbucks at coloradostudios.com
Tue Feb 5 03:16:57 UTC 2008
Chris Buxton wrote:
> So now you know that the problem is in your view definitions and their
> match-* statements. Since you have not shared those with the class,
> there's nothing more we can tell you.
>
> Chris Buxton
> Professional Services
> Men & Mice
> Address: Noatun 17, IS-105, Reykjavik, Iceland
> Phone: +354 412 1500
> Email: cbuxton at menandmice.com
> www.menandmice.com
>
> Men & Mice
> We bring control and flexibility to network management
>
> This e-mail and its attachments may contain confidential and privileged
> information only intended for the person or entity to which it is
> addressed. If the reader of this message is not the intended recipient,
> you are hereby notified that any retention, dissemination, distribution
> or copy of this e-mail is strictly prohibited. If you have received this
> e-mail in error, please notify us immediately by reply e-mail and
> immediately delete this message and all its attachment.
>
>
>
> On Feb 4, 2008, at 12:10 PM, Jim Bucks wrote:
>
>> additional info on the querylog.....
>>
>> Jim Bucks wrote:
>>> Hello Mark, (posted & mailed)
>>>
>>> Sorry for the delay in responding (been juggling / dropping a lot of
>>> balls lately).....
>>>
>>> Mark Andrews wrote:
>>>>> Hello All,
>>>>>
>>>>> I'm trying to "get this done on the weekends" a couple of new named
>>>>> servers into production mode - and am stuck on a couple of problems:
>>>>>
>>>>>
>>>>> Here's what I'm running on both boxed.
>>>>> Fedora Core 7 Linux 2.6.23.8-34.fc7 i686 i686 i386
>>>>> BIND 9.4.2
>>>>>
>>>>>
>>>>> The internal views appear to be working ok (at lest they're creating
>>>>> all the zone files in the internal directories on the slave server -
>>>>> have not checked if they update changes).
>>>>>
>>>>>
>>>>> The external views are confusing me. Three of the zones files appear
>>>>> to work, but the others (15) throw this error in the slave server's
>>>>> log:
>>>>>
>>>>> zone yyyyyyyyyyyy.yyy/IN/external: refresh: non-authoritative
>>>>> answer from master xxx.xxx.xxx.xxx#53 (source 0.0.0.0#0)
>>>>
>>>> This is from the client receiving a response to a SOA query
>>>> for the zone which doesn't have the AA bit set.
>>>>
>>>> dig -b 0.0.0.0 yyyyyyyyyyyy.yyy soa +norec @xxx.xxx.xxx.xxx
>>>>
>>>> on the slave to reproduce the query.
>>>>
>>>
>>> Well, here's the dig results from the slave server:
>>> dig -b 0.0.0.0 1080p.com soa +norec @67.134.161.162
>>>
>>> ; <<>> DiG 9.4.2 <<>> -b 0.0.0.0 1080p.com soa +norec @67.134.161.162
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15269
>>> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
>>>
>>> ;; QUESTION SECTION:
>>> ;1080p.com. IN SOA
>>>
>>> ;; AUTHORITY SECTION:
>>> . 276068 IN NS K.ROOT-SERVERS.NET.
>>> . 276068 IN NS G.ROOT-SERVERS.NET.
>>> . 276068 IN NS F.ROOT-SERVERS.NET.
>>> . 276068 IN NS C.ROOT-SERVERS.NET.
>>> . 276068 IN NS B.ROOT-SERVERS.NET.
>>> . 276068 IN NS M.ROOT-SERVERS.NET.
>>> . 276068 IN NS J.ROOT-SERVERS.NET.
>>> . 276068 IN NS E.ROOT-SERVERS.NET.
>>> . 276068 IN NS H.ROOT-SERVERS.NET.
>>> . 276068 IN NS A.ROOT-SERVERS.NET.
>>> . 276068 IN NS I.ROOT-SERVERS.NET.
>>> . 276068 IN NS L.ROOT-SERVERS.NET.
>>> . 276068 IN NS D.ROOT-SERVERS.NET.
>>>
>>> ;; ADDITIONAL SECTION:
>>> A.ROOT-SERVERS.NET. 362468 IN A 198.41.0.4
>>> F.ROOT-SERVERS.NET. 362468 IN A 192.5.5.241
>>> B.ROOT-SERVERS.NET. 362468 IN A 192.228.79.201
>>> K.ROOT-SERVERS.NET. 362468 IN A 193.0.14.129
>>> I.ROOT-SERVERS.NET. 362468 IN A 192.36.148.17
>>> G.ROOT-SERVERS.NET. 362468 IN A 192.112.36.4
>>> E.ROOT-SERVERS.NET. 362468 IN A 192.203.230.10
>>> M.ROOT-SERVERS.NET. 362468 IN A 202.12.27.33
>>> J.ROOT-SERVERS.NET. 362468 IN A 192.58.128.30
>>> L.ROOT-SERVERS.NET. 362468 IN A 199.7.83.42
>>> C.ROOT-SERVERS.NET. 362468 IN A 192.33.4.12
>>> D.ROOT-SERVERS.NET. 362468 IN A 128.8.10.90
>>> H.ROOT-SERVERS.NET. 362468 IN A 128.63.2.53
>>>
>>> ;; Query time: 29 msec
>>> ;; SERVER: 67.134.161.162#53(67.134.161.162)
>>> ;; WHEN: Mon Feb 4 08:23:10 2008
>>> ;; MSG SIZE rcvd: 446
>>>
>>>
>>>
>>>
>>>
>>>>> NO errors being logged on the master server.
>>>>
>>>> Do you have the zones configured in the external view on the
>>>> master?
>>>>
>>>
>>> I do believe so. I have run named-chkconf (named.conf files on master &
>>> slave servers) and named-chkzone (every external and internal forward &
>>> reverse zone file) against all files. I'm not getting any errors when
>>> running these.
>>>
>>>> Are you sure the slave is talking to the right view at the
>>>> right time. Check the query log (enable if need be).
>>>>
>>>
>>> Not sure about this one. I'll do some reading on this.
>>>
>>
>> ok, now, I'm confused / back to thinking it's a "silly syntax typo"...
>>
>> Here's what the MASTER server's saying...
>> Feb 4 12:51:00 dns02 named[16847]: client 67.134.161.163#32786: view
>> internal: query: 1080p.com IN SOA -E
>> Feb 4 12:52:42 dns02 named[16847]: client 67.134.161.163#32786: view
>> internal: query: 1080p.com IN SOA -E
>>
>> 1080p.com is not in the internal zone directory. It's only in the
>> external zone directory.
>>
>>
>> Here's what the SLAVE server's saying...
>> Feb 4 13:03:16 dns03 named[11347]: zone 1080p.com/IN/external: refresh:
>> non-authoritative answer from master 67.134.161.162#53 (source 0.0.0.0#0)
>>
>>
>>
>>
>>
>>
>>
>>> Thanks for the ideas.
>>>
>>> Jim
>>>
>>>>> I have checked spelling, removed / relaxed "security" settings
>>>>> (match-clients & match-destinations) and added explicit "allow's"
>>>>> (allow -update and allow-transfer) to no avail.
>>>>>
>>>>> Any thoughts on this that might help? I can provide copes of the
>>>>> zones files as well as the master & slave named.conf files.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jim
>>>>>
Sorry, I really have been trying to resolve this on my own. I greatly
reduced the number of zones this afternoon in a failed attempt to try
and get this working. I also got rid of the acl entries (using hard
coded IP addresses for now).
I'm still getting the same results as I reported earlier.
Thanks,
Jim
Here is the named.conf from the master server (less the "key" strings)
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
// 2007 Dec 14 Jim Bucks - initial setup
// This is the MASTER / PRIMARY DNS
configuration file.
//
// Change Log
//
//
acl dns_slaves {
67.134.161.163;
};
acl stapleton_hosts {
192.9.200.0/24;
127.0.0.1;
172.20.24.0/21;
67.134.161.0/24;
};
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
//query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
allow-query { stapleton_hosts; };
// allow-query
{192.9.200.0/24;172.20.24.0/21;67.134.161.163/24;}; // need to add the
other local nets
dump-file "data/cache_dump.db";
zone-statistics yes;
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
also-notify { 67.134.161.163; };
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory
(/var/named).
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
// Filter out any LAME server messages from cluttering up the
SYSLOGs
};
//
// All BIND 9 zones are in a "view", which allow different zones to be
served
// to different types of client addresses, and for options to be set for
groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are
in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a
view;
// so it is recommended to start off using views to avoid having to
restructure
// your configuration files in the future.
//
view localhost_resolver {
/* This view sets up named to be a localhost resolver ( caching
only nameserver ).
* If all you want is a caching-only nameserver, then you need
only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
//include "/etc/named.root.hints";
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names
should
* ONLY be served to localhost clients:
*/
// include "internal/named.rfc1912.zones";
};
view internal {
/* This view will contain zones you want to serve only to
"internal" clients
* that connect via your directly attached LAN interfaces -
"localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
zone "." {
type hint;
file "internal/root.hints";
};
// all views must contain the root hints zone:
//include "internal/root.hints";
//include "internal/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost
clients.
// These are your "authoritative" internal zones, and would
probably
// also be included in the "localhost_resolver" view above :
zone "den.coloradostudios.com" {
type master;
allow-transfer { 67.134.161.163; };
file "internal/db.den.coloradostudios.com";
};
zone "200.9.192.in-addr.arpa" {
type master;
allow-transfer { 67.134.161.163; };
file "internal/db.192.9.200";
};
// //zone "my.internal.zone" {
// type master;
// file "my.internal.zone.db";
// };
// zone "my.slave.internal.zone" {
// type slave;
// file "slaves/my.slave.internal.zone.db";
// masters { /* put master nameserver IPs here */
127.0.0.1; };
// // put slave zones in the slaves/ directory so
named can update them
// };
// zone "my.ddns.internal.zone" {
// type master;
// allow-update { key ddns_key; };
// file "slaves/my.ddns.internal.zone.db";
// // put dynamically updateable zones in the
slaves/ directory so named can update them
// };
};
key rndc_key
{
algorithm hmac-md5;
secret "snipped";
};
key ddns_key
{
algorithm hmac-md5;
secret "snipped";
//secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view external
{
/* This view will contain zones you want to serve only to
"external" clients
* that have addresses that are not on your directly attached
LAN interface subnets:
*/
allow-transfer { 67.134.161.163; }; # allow "hosts in acl
"dns_slaves" to transfer zones
// match-clients { !localnets; !localhost; };
// match-clients { localnets; !localhost; };
match-clients { "any"; };
// match-destinations { localnets; !localhost; };
// match-destinations { !localnets; !localhost; };
recursion no;
// you'd probably want to deny recursion to external clients,
so you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:
//include "/etc/named.root.hints";
// These are your "authoritative" external zones, and would
probably
// contain entries for just your web and mail servers:
zone "hd.net" {
type master;
allow-transfer { 67.134.161.163; };
file "external/db.hd.net";
};
zone "1080p.com" {
type master;
allow-transfer { 67.134.161.163; };
file "external/db.1080p.com";
};
// Deleted all the other external zones files from here until
// after can get the 1080p.com files to replicate to slave.
zone "161.134.67.in-addr.arpa" {
type master;
allow-transfer { 67.134.161.163; };
file "external/db.67.134.161";
};
// zone "my.external.zone" {
// type master;
// file "my.external.zone.db";
// };
};
//include "/etc/bind/logging";
And, here's the named.conf (also with the key's snipped) from the slave
server.
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
// 2007 Dec 14 Jim Bucks - initial setup
// This is the SECONDARY / SLAVE DNS
configuration file.
//
acl dns_masters {
67.134.161.162;
};
// This is a list of `Stapleton' networks.
acl stapleton_hosts {
192.9.200.0/24;
127.0.0.1;
172.20.24.0/21;
67.134.161.0/24;
};
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
//query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
//allow-query {192.9.200.0/24;172.20.24.0/21;}; // need to add
the other local nets
//allow-query {192.9.200.0/24;172.20.24.0/21;67.134.161.0/24;};
// need to add the other local nets
allow-query { "stapleton_hosts"; }; // need to add the other
local nets
dump-file "data/cache_dump.db";
zone-statistics yes;
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory
(/var/named).
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
// Filter out any LAME server messages from cluttering up the
SYSLOGs
};
//
// All BIND 9 zones are in a "view", which allow different zones to be
served
// to different types of client addresses, and for options to be set for
groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are
in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a
view;
// so it is recommended to start off using views to avoid having to
restructure
// your configuration files in the future.
//
view localhost_resolver {
/* This view sets up named to be a localhost resolver ( caching
only nameserver ).
* If all you want is a caching-only nameserver, then you need
only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
//include "/etc/named.root.hints";
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names
should
* ONLY be served to localhost clients:
*/
//include "/etc/named.rfc1912.zones";
};
view internal {
/* This view will contain zones you want to serve only to
"internal" clients
* that connect via your directly attached LAN interfaces -
"localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
zone "." {
type hint;
file "slaves/internal/root.hints";
};
// all views must contain the root hints zone:
//include "/etc/named.root.hints";
//include "/etc/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost
clients.
// These are your "authoritative" internal zones, and would
probably
// also be included in the "localhost_resolver" view above :
zone "den.coloradostudios.com" {
type slave;
masters { 67.134.161.162; };
file "slaves/internal/db.den.coloradostudios.com";
};
zone "200.9.192.in-addr.arpa" {
type slave;
masters { 67.134.161.162; };
file "slaves/internal/db.192.9.200";
};
// //zone "my.internal.zone" {
// type master;
// file "my.internal.zone.db";
// };
// zone "my.slave.internal.zone" {
// type slave;
// file "slaves/my.slave.internal.zone.db";
// masters { /* put master nameserver IPs here */
127.0.0.1; };
// // put slave zones in the slaves/ directory so
named can update them
// };
// zone "my.ddns.internal.zone" {
// type master;
// allow-update { key ddns_key; };
// file "slaves/my.ddns.internal.zone.db";
// // put dynamically updateable zones in the
slaves/ directory so named can update them
// };
};
key rndc_key
{
algorithm hmac-md5;
secret "snip";
};
key ddns_key
{
algorithm hmac-md5;
secret "snip";
//secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view external {
/* This view will contain zones you want to serve only to
"external" clients
* that have addresses that are not on your directly attached
LAN interface subnets:
*/
match-clients { dns_masters; };
match-destinations { dns_masters; };
// match-clients { !localnets; !localhost; };
// match-destinations { !localnets; !localhost; };
recursion no;
// you'd probably want to deny recursion to external clients,
so you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:
//include "/etc/named.root.hints";
// These are your "authoritative" external zones, and would
probably
// contain entries for just your web and mail servers:
zone "hd.net" {
type slave;
masters { 67.134.161.162; };
file "slaves/external/db.hd.net";
};
zone "1080p.com" {
type slave;
masters { 67.134.161.162; };
file "slaves/external/db.1080p.com";
};
// Deleted all the other external zones files from here until
// after can get the 1080p.com files to replicate to slave.
zone "161.134.67.in-addr.arpa" {
type slave;
masters { 67.134.161.162; };
file "slaves/external/db.67.134.161";
};
// zone "my.external.zone" {
// type master;
// file "my.external.zone.db";
// };
};
//include "/etc/bind/logging";
--
Jim Bucks - IT/IS Support www.coloradostudios.com
2400 N. Ulster St. Denver, CO 80238 Main 303-388-8500
jbucks at coloradostudios.com DiD 303-542-5520
More information about the bind-users
mailing list