Basic setup question for a master / slave setup with views...

Kevin Darcy kcd at chrysler.com
Tue Feb 5 03:22:15 UTC 2008


1080p.com is defined in the "external" view, but when the slave attempts 
to refresh, it matches the "internal" view, in which 1080p.com is 
non-authoritative.

You might need to be a little more granular than just "localnets" as the 
match-clients for your "internal" view. Make an exception for hosting 
nameservers at the same "layer" as the master box.

If your slave has multiple interfaces, on different networks, you might 
also want to look at "transfer-source" to ensure that it's using the 
appropriate source addresses.

                                                                         
                                    - Kevin

Jim Bucks wrote:
> Chris Buxton wrote:
>   
>> So now you know that the problem is in your view definitions and their 
>> match-* statements. Since you have not shared those with the class, 
>> there's nothing more we can tell you.
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>> Address: Noatun 17, IS-105, Reykjavik, Iceland
>> Phone:   +354 412 1500
>> Email:   cbuxton at menandmice.com
>> www.menandmice.com
>>
>> Men & Mice
>> We bring control and flexibility to network management
>>
>> This e-mail and its attachments may contain confidential and privileged 
>> information only intended for the person or entity to which it is 
>> addressed. If the reader of this message is not the intended recipient, 
>> you are hereby notified that any retention, dissemination, distribution 
>> or copy of this e-mail is strictly prohibited. If you have received this 
>> e-mail in error, please notify us immediately by reply e-mail and 
>> immediately delete this message and all its attachment.
>>
>>
>>
>> On Feb 4, 2008, at 12:10 PM, Jim Bucks wrote:
>>
>>     
>>> additional info on the querylog.....
>>>
>>> Jim Bucks wrote:
>>>       
>>>> Hello Mark,   (posted & mailed)
>>>>
>>>> Sorry for the delay in responding (been juggling / dropping a lot of
>>>> balls lately).....
>>>>
>>>> Mark Andrews wrote:
>>>>         
>>>>>> Hello All,
>>>>>>
>>>>>> I'm trying to "get this done on the weekends" a couple of new named
>>>>>> servers into production mode - and am stuck on a couple of problems:
>>>>>>
>>>>>>
>>>>>> Here's what I'm running on both boxed.
>>>>>>     Fedora Core 7 Linux 2.6.23.8-34.fc7  i686 i686 i386
>>>>>>     BIND 9.4.2
>>>>>>
>>>>>>
>>>>>> The internal views appear to be working ok (at lest they're creating
>>>>>> all the zone files in the internal directories on the slave server -
>>>>>> have not checked if they update changes).
>>>>>>
>>>>>>
>>>>>> The external views are confusing me.  Three of the zones files appear
>>>>>> to work, but the others (15) throw this error in the slave server's 
>>>>>> log:
>>>>>>
>>>>>>      zone yyyyyyyyyyyy.yyy/IN/external: refresh: non-authoritative
>>>>>>      answer from master xxx.xxx.xxx.xxx#53 (source 0.0.0.0#0)
>>>>>>             
>>>>>    This is from the client receiving a response to a SOA query
>>>>>    for the zone which doesn't have the AA bit set.
>>>>>
>>>>>    dig -b 0.0.0.0 yyyyyyyyyyyy.yyy soa +norec @xxx.xxx.xxx.xxx
>>>>>
>>>>>    on the slave to reproduce the query.
>>>>>
>>>>>           
>>>> Well, here's the dig results from the slave server:
>>>>   dig -b 0.0.0.0 1080p.com soa +norec  @67.134.161.162
>>>>
>>>>   ; <<>> DiG 9.4.2 <<>> -b 0.0.0.0 1080p.com soa +norec @67.134.161.162
>>>>   ;; global options:  printcmd
>>>>   ;; Got answer:
>>>>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15269
>>>>   ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
>>>>
>>>>   ;; QUESTION SECTION:
>>>>   ;1080p.com.                     IN      SOA
>>>>
>>>>   ;; AUTHORITY SECTION:
>>>>   .                       276068  IN      NS      K.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      G.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      F.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      C.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      B.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      M.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      J.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      E.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      H.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      A.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      I.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      L.ROOT-SERVERS.NET.
>>>>   .                       276068  IN      NS      D.ROOT-SERVERS.NET.
>>>>
>>>>   ;; ADDITIONAL SECTION:
>>>>   A.ROOT-SERVERS.NET.     362468  IN      A       198.41.0.4
>>>>   F.ROOT-SERVERS.NET.     362468  IN      A       192.5.5.241
>>>>   B.ROOT-SERVERS.NET.     362468  IN      A       192.228.79.201
>>>>   K.ROOT-SERVERS.NET.     362468  IN      A       193.0.14.129
>>>>   I.ROOT-SERVERS.NET.     362468  IN      A       192.36.148.17
>>>>   G.ROOT-SERVERS.NET.     362468  IN      A       192.112.36.4
>>>>   E.ROOT-SERVERS.NET.     362468  IN      A       192.203.230.10
>>>>   M.ROOT-SERVERS.NET.     362468  IN      A       202.12.27.33
>>>>   J.ROOT-SERVERS.NET.     362468  IN      A       192.58.128.30
>>>>   L.ROOT-SERVERS.NET.     362468  IN      A       199.7.83.42
>>>>   C.ROOT-SERVERS.NET.     362468  IN      A       192.33.4.12
>>>>   D.ROOT-SERVERS.NET.     362468  IN      A       128.8.10.90
>>>>   H.ROOT-SERVERS.NET.     362468  IN      A       128.63.2.53
>>>>
>>>>   ;; Query time: 29 msec
>>>>   ;; SERVER: 67.134.161.162#53(67.134.161.162)
>>>>   ;; WHEN: Mon Feb  4 08:23:10 2008
>>>>   ;; MSG SIZE  rcvd: 446
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>>>      NO errors being logged on the master server.
>>>>>>             
>>>>>    Do you have the zones configured in the external view on the
>>>>>    master?
>>>>>
>>>>>           
>>>> I do believe so.  I have run named-chkconf (named.conf files on master &
>>>> slave servers) and named-chkzone (every external and internal forward &
>>>> reverse zone file) against all files.  I'm not getting any errors when
>>>> running these.
>>>>
>>>>         
>>>>>    Are you sure the slave is talking to the right view at the
>>>>>    right time.  Check the query log (enable if need be).
>>>>>
>>>>>           
>>>> Not sure about this one.  I'll do some reading on this.
>>>>
>>>>         
>>> ok, now, I'm confused / back to thinking it's a "silly syntax typo"...
>>>
>>> Here's what the MASTER server's saying...
>>> Feb  4 12:51:00 dns02 named[16847]: client 67.134.161.163#32786: view
>>> internal: query: 1080p.com IN SOA -E
>>> Feb  4 12:52:42 dns02 named[16847]: client 67.134.161.163#32786: view
>>> internal: query: 1080p.com IN SOA -E
>>>
>>> 1080p.com is not in the internal zone directory.  It's only in the
>>> external zone directory.
>>>
>>>
>>> Here's what the SLAVE server's saying...
>>> Feb  4 13:03:16 dns03 named[11347]: zone 1080p.com/IN/external: refresh:
>>> non-authoritative answer from master 67.134.161.162#53 (source 0.0.0.0#0)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>       
>>>> Thanks for the ideas.
>>>>
>>>> Jim
>>>>
>>>>         
>>>>>> I have checked spelling, removed / relaxed "security" settings
>>>>>> (match-clients & match-destinations) and added explicit "allow's"
>>>>>> (allow -update and allow-transfer) to no avail.
>>>>>>
>>>>>> Any thoughts on this that might help?  I can provide copes of the
>>>>>> zones files as well as the master & slave named.conf files.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jim
>>>>>>
>>>>>>             
>
>
> Sorry, I really have been trying to resolve this on my own.  I greatly 
> reduced the number of zones this afternoon in a failed attempt to try 
> and get this working.  I also got rid of the acl entries (using hard 
> coded IP addresses for now).
>
> I'm still getting the same results as I reported earlier.
>
> Thanks,
>
> Jim
>
>
> Here is the named.conf from the master server (less the "key" strings)
>
> //
> // Sample named.conf BIND DNS server 'named' configuration file
> // for the Red Hat BIND distribution.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details, in:
> //   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
> // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
> // its manual.
> //
> // 2007 Dec 14   Jim Bucks - initial setup
> //                           This is the MASTER / PRIMARY DNS 
> configuration file.
> //
> // Change Log
> //
> //
> acl dns_slaves {
>          67.134.161.163;
> };
>
> acl stapleton_hosts {
>          192.9.200.0/24;
>          127.0.0.1;
>          172.20.24.0/21;
>          67.134.161.0/24;
> };
>
> options
> {
>          /* make named use port 53 for the source of all queries, to allow
>           * firewalls to block all ports except 53:
>           */
>          query-source    port 53;
>          //query-source-v6 port 53;
>
>          // Put files that named is allowed to write in the data/ directory:
>          directory "/var/named";       // the default
>          allow-query { stapleton_hosts; };
> //        allow-query 
> {192.9.200.0/24;172.20.24.0/21;67.134.161.163/24;}; // need to add the 
> other local nets
>          dump-file               "data/cache_dump.db";
>          zone-statistics         yes;
>          statistics-file         "data/named_stats.txt";
>          memstatistics-file      "data/named_mem_stats.txt";
>          also-notify { 67.134.161.163; };
>
> };
>
> logging
> {
> /*      If you want to enable debugging, eg. using the 'rndc trace' command,
>   *      named will try to write the 'named.run' file in the $directory 
> (/var/named).
>   *      By default, SELinux policy does not allow named to modify the 
> /var/named directory,
>   *      so put the default debug log file in data/ :
>   */
>          channel default_debug {
>                  file "data/named.run";
>                  severity dynamic;
>          };
>          // Filter out any LAME server messages from cluttering up the 
> SYSLOGs
> };
>
> //
> // All BIND 9 zones are in a "view", which allow different zones to be 
> served
> // to different types of client addresses, and for options to be set for 
> groups
> // of zones.
> //
> // By default, if named.conf contains no "view" clauses, all zones are 
> in the
> // "default" view, which matches all clients.
> //
> // If named.conf contains any "view" clause, then all zones MUST be in a 
> view;
> // so it is recommended to start off using views to avoid having to 
> restructure
> // your configuration files in the future.
> //
> view localhost_resolver {
>         /* This view sets up named to be a localhost resolver ( caching 
> only nameserver ).
>          * If all you want is a caching-only nameserver, then you need 
> only define this view:
>         */
>          match-clients           { localhost; };
>          match-destinations      { localhost; };
>          recursion yes;
>          # all views must contain the root hints zone:
>          //include "/etc/named.root.hints";
>
>          /* these are zones that contain definitions for all the localhost
>           * names and addresses, as recommended in RFC1912 - these names 
> should
>           * ONLY be served to localhost clients:
>           */
>          // include "internal/named.rfc1912.zones";
> };
>
> view internal {
>          /* This view will contain zones you want to serve only to 
> "internal" clients
>           * that connect via your directly attached LAN interfaces - 
> "localnets" .
>          */
>          match-clients           { localnets; };
>          match-destinations      { localnets; };
>          recursion yes;
>
>          zone "." {
>                  type hint;
>                  file "internal/root.hints";
>           };
>           // all views must contain the root hints zone:
>           //include "internal/root.hints";
>
>          //include "internal/named.rfc1912.zones";
>          // you should not serve your rfc1912 names to non-localhost 
> clients.
>
>          // These are your "authoritative" internal zones, and would 
> probably
>          // also be included in the "localhost_resolver" view above :
>
>
>          zone "den.coloradostudios.com" {
>                  type master;
>                  allow-transfer { 67.134.161.163; };
>                  file "internal/db.den.coloradostudios.com";
>          };
>          zone "200.9.192.in-addr.arpa" {
>                  type master;
>                  allow-transfer { 67.134.161.163; };
>                  file "internal/db.192.9.200";
>          };
>          //      //zone "my.internal.zone" {
>          //              type master;
>          //              file "my.internal.zone.db";
>          //      };
>          //      zone "my.slave.internal.zone" {
>          //              type slave;
>          //              file "slaves/my.slave.internal.zone.db";
>          //              masters { /* put master nameserver IPs here */ 
> 127.0.0.1; };
>          //              // put slave zones in the slaves/ directory so 
> named can update them
>          //      };
>          //      zone "my.ddns.internal.zone" {
>          //              type master;
>          //              allow-update { key ddns_key; };
>          //              file "slaves/my.ddns.internal.zone.db";
>          //              // put dynamically updateable zones in the 
> slaves/ directory so named can update them
>          //      };
> };
>
> key rndc_key
> {
>          algorithm hmac-md5;
>          secret "snipped";
> };
>
> key ddns_key
> {
>          algorithm hmac-md5;
>          secret "snipped";
>          //secret "use /usr/sbin/dns-keygen to generate TSIG keys";
> };
>
> view  external
> {
>          /* This view will contain zones you want to serve only to 
> "external" clients
>           * that have addresses that are not on your directly attached 
> LAN interface subnets:
>          */
>          allow-transfer { 67.134.161.163; };     # allow "hosts in acl 
> "dns_slaves" to transfer zones
>
>          //      match-clients           { !localnets; !localhost; };
>          //      match-clients           { localnets; !localhost; };
>          match-clients           { "any"; };
>          //      match-destinations      { localnets; !localhost; };
>          //      match-destinations      { !localnets; !localhost; };
>
>          recursion no;
>          // you'd probably want to deny recursion to external clients, 
> so you don't
>          // end up providing free DNS service to all takers
>
>          // all views must contain the root hints zone:
>          //include "/etc/named.root.hints";
>
>          // These are your "authoritative" external zones, and would 
> probably
>          // contain entries for just your web and mail servers:
>          zone "hd.net" {
>                  type master;
>                  allow-transfer { 67.134.161.163; };
>                  file "external/db.hd.net";
>          };
>          zone "1080p.com" {
>                  type master;
>                  allow-transfer { 67.134.161.163; };
>                  file "external/db.1080p.com";
>          };
>          // Deleted all the other external zones files from here until
>          //   after can get the 1080p.com files to replicate to slave.
>          zone "161.134.67.in-addr.arpa" {
>                  type master;
>                  allow-transfer { 67.134.161.163; };
>                  file "external/db.67.134.161";
>          };
>
>          //      zone "my.external.zone" {
>          //              type master;
>          //              file "my.external.zone.db";
>          //      };
> };
> //include "/etc/bind/logging";
>
>
>
> And, here's the named.conf (also with the key's snipped) from the slave 
> server.
>
>
> //
> // Sample named.conf BIND DNS server 'named' configuration file
> // for the Red Hat BIND distribution.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details, in:
> //   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
> // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
> // its manual.
> //
> // 2007 Dec 14   Jim Bucks - initial setup
> //                           This is the SECONDARY / SLAVE DNS 
> configuration file.
> //
>
>
> acl dns_masters {
>          67.134.161.162;
> };
>
> // This is a list of `Stapleton' networks.
> acl stapleton_hosts {
>          192.9.200.0/24;
>          127.0.0.1;
>          172.20.24.0/21;
>          67.134.161.0/24;
> };
>
>
> options
> {
>          /* make named use port 53 for the source of all queries, to allow
>           * firewalls to block all ports except 53:
>           */
>          query-source    port 53;
>          //query-source-v6 port 53;
>
>          // Put files that named is allowed to write in the data/ directory:
>          directory "/var/named"; // the default
>          //allow-query {192.9.200.0/24;172.20.24.0/21;}; // need to add 
> the other local nets
>          //allow-query {192.9.200.0/24;172.20.24.0/21;67.134.161.0/24;}; 
> // need to add the other local nets
>          allow-query { "stapleton_hosts"; }; // need to add the other 
> local nets
>          dump-file               "data/cache_dump.db";
>          zone-statistics         yes;
>          statistics-file         "data/named_stats.txt";
>          memstatistics-file      "data/named_mem_stats.txt";
>
> };
>
> logging
> {
> /*      If you want to enable debugging, eg. using the 'rndc trace' command,
>   *      named will try to write the 'named.run' file in the $directory 
> (/var/named).
>   *      By default, SELinux policy does not allow named to modify the 
> /var/named directory,
>   *      so put the default debug log file in data/ :
>   */
>          channel default_debug {
>                  file "data/named.run";
>                  severity dynamic;
>          };
>          // Filter out any LAME server messages from cluttering up the 
> SYSLOGs
> };
>
> //
> // All BIND 9 zones are in a "view", which allow different zones to be 
> served
> // to different types of client addresses, and for options to be set for 
> groups
> // of zones.
> //
> // By default, if named.conf contains no "view" clauses, all zones are 
> in the
> // "default" view, which matches all clients.
> //
> // If named.conf contains any "view" clause, then all zones MUST be in a 
> view;
> // so it is recommended to start off using views to avoid having to 
> restructure
> // your configuration files in the future.
> //
> view localhost_resolver {
>          /* This view sets up named to be a localhost resolver ( caching 
> only nameserver ).
>           * If all you want is a caching-only nameserver, then you need 
> only define this view:
>          */
>          match-clients           { localhost; };
>          match-destinations      { localhost; };
>          recursion yes;
>          # all views must contain the root hints zone:
>          //include "/etc/named.root.hints";
>
>          /* these are zones that contain definitions for all the localhost
>           * names and addresses, as recommended in RFC1912 - these names 
> should
>           * ONLY be served to localhost clients:
>           */
>          //include "/etc/named.rfc1912.zones";
> };
>
> view internal {
>          /* This view will contain zones you want to serve only to 
> "internal" clients
>           * that connect via your directly attached LAN interfaces - 
> "localnets" .
>          */
>          match-clients           { localnets; };
>          match-destinations      { localnets; };
>          recursion yes;
>          zone "." {
>                   type hint;
>                  file "slaves/internal/root.hints";
>          };
>          // all views must contain the root hints zone:
>          //include "/etc/named.root.hints";
>
>          //include "/etc/named.rfc1912.zones";
>          // you should not serve your rfc1912 names to non-localhost 
> clients.
>
>          // These are your "authoritative" internal zones, and would 
> probably
>          // also be included in the "localhost_resolver" view above :
>
>
>          zone "den.coloradostudios.com" {
>                  type slave;
>                  masters { 67.134.161.162; };
>                  file "slaves/internal/db.den.coloradostudios.com";
>          };
>          zone "200.9.192.in-addr.arpa" {
>                  type slave;
>                  masters { 67.134.161.162; };
>                  file "slaves/internal/db.192.9.200";
>          };
>          //      //zone "my.internal.zone" {
>          //              type master;
>          //              file "my.internal.zone.db";
>          //      };
>          //      zone "my.slave.internal.zone" {
>          //              type slave;
>          //              file "slaves/my.slave.internal.zone.db";
>          //              masters { /* put master nameserver IPs here */ 
> 127.0.0.1; };
>          //              // put slave zones in the slaves/ directory so 
> named can update them
>          //      };
>          //      zone "my.ddns.internal.zone" {
>          //              type master;
>          //              allow-update { key ddns_key; };
>          //              file "slaves/my.ddns.internal.zone.db";
>          //              // put dynamically updateable zones in the 
> slaves/ directory so named can update them
>          //      };
> };
>
> key rndc_key
> {
>          algorithm hmac-md5;
>          secret "snip";
> };
>
> key ddns_key
> {
>          algorithm hmac-md5;
>          secret "snip";
>          //secret "use /usr/sbin/dns-keygen to generate TSIG keys";
> };
>
> view external {
>          /* This view will contain zones you want to serve only to 
> "external" clients
>           * that have addresses that are not on your directly attached 
> LAN interface subnets:
>          */
>          match-clients           { dns_masters; };
>          match-destinations      { dns_masters; };
>          //      match-clients           { !localnets; !localhost; };
>          //      match-destinations      { !localnets; !localhost; };
>
>          recursion no;
>          // you'd probably want to deny recursion to external clients, 
> so you don't
>          // end up providing free DNS service to all takers
>
>          // all views must contain the root hints zone:
>          //include "/etc/named.root.hints";
>
>          // These are your "authoritative" external zones, and would 
> probably
>          // contain entries for just your web and mail servers:
>          zone "hd.net" {
>                  type slave;
>                  masters { 67.134.161.162; };
>                  file "slaves/external/db.hd.net";
>          };
>          zone "1080p.com" {
>                  type slave;
>                  masters { 67.134.161.162; };
>                  file "slaves/external/db.1080p.com";
>          };
>          // Deleted all the other external zones files from here until
>          //   after can get the 1080p.com files to replicate to slave.
>          zone "161.134.67.in-addr.arpa" {
>                  type slave;
>                  masters { 67.134.161.162; };
>                  file "slaves/external/db.67.134.161";
>          };
>
>          //      zone "my.external.zone" {
>          //              type master;
>          //              file "my.external.zone.db";
>          //      };
> };
> //include "/etc/bind/logging";
>
>
>
>
>
>   



More information about the bind-users mailing list