Transferring of zones that use view.
Barry Margolin
barmar at alum.mit.edu
Fri Mar 7 22:38:58 UTC 2008
In article <fqrkcc$1glm$1 at sf1.isc.org>,
Nils Olofsson <nils at cartoonsaloon.ie> wrote:
> On Fri, 2008-03-07 at 07:29 -0500, Alan Clegg wrote:
> > Nils Olofsson wrote:
> > > Hi,
> > > ------------
> > > Quote from FAQ:
> > >
> > > Q:How can I make a server a slave for both an internal and an external
> > > view at the same time? When I tried, both views on the slave were
> > > transferred from the same view on the master.
> > >
> > > A: You will need to give the master and slave multiple IP addresses and
> > > use those to make sure you reach the correct view on the other machine.
> > > ---------------
> > >
> > > This might have come up multiply times already...this seems like a
> > > insane way to transfer "views" in Bind. Is there a patch floating around
> > > that allows views to be correctly transferred without the need to have a
> > > lots of spare IP address (ipv4) or the use of the transfer-source
> > > option ?
> > It's not a patch, it's BIND 9.3 or later. Reading the rest of the FAQ
> > that you quoted provides me with this:
> >
> > Use TSIG to select the appropriate view.
> >
>
> I did notice this way of doing it, but it's a error prone way(IMHO)
> (initially). Why does it have to be like this...? I suppose once its
> setup it should be fine, and as I would not really have to touch
> named.conf again it should be ok... Maybe I jumped the gun a bit :)
Views are not part of the DNS protocol, they're just a hack in BIND to
allow one server process to emulate multiple servers. So there's no way
for a DNS client to specifically say "Give me the data from view
'internal'".
When a request comes in, the server needs some reliable way to decide
which view to use to process the request. Normally it uses the client
IP, as that's how you usually distinguish the groups of clients you're
serving. In 9.3 you can also use an encryption key. Whatever you use,
it has to be reliable -- you can't use something that the client can
forge easily. So even if there were a way for the client to request a
specific view, you'd need some way to authenticate that they're allowed
to make such a request.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list