Zone Transfer issue on BIND9

snoop at email.it snoop at email.it
Fri Aug 24 14:44:55 UTC 2012


	--------- Original Message --------
	Da: Jeremy C. Reed <jreed at isc.org>
	To: 
	  Cc: bind-users at lists.isc.org
	Oggetto: Re: Zone Transfer issue on BIND9
	Data: 24/08/12 15:39
	
	> 
> 
> 
> On Fri, 24 Aug 2012, snoop at email.it wrote:
> 
> > view "internal" {
> 
> ...
> >         zone "1.16.172.in-addr.arpa" IN {
> >                 type master;
> >                 file
"/etc/namedb/master/1.16.172.in-addr.arpa.ext.zone";
> 
> Previous zone file names in this same view were called "int". Why the 
> filename change? (ext means "external" even though in the internal 
> view?)
> 
You're right. It is a bit misleading but it is as such also because I've
already shrunk the configuration file consistently already. It's marked as
"ext" because that IP range is geographically somewhere else ... reachable
via VPN tunnelling. Which makes it basically internal even though it has
been called as such just for practical reasons (to remind me that the
network is not "here"). That's why it's in the "internal" view. Perhaps
another abbreviation would have been more appropriate.

> > ***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
> 
> > key TSIG-KEY. {
> ...
> 
> >         allow-notify { 171.XX.YY.27; 10.0.0.15; };
> 
> >         listen-on { 171.XX.YY.27; 127.0.0.1; };
> 
> Is the allow-notify 171.XX.YY.27 address same as the listen-on 
> 171.XX.YY.27 address? This is confusing as the allow-notify is a 
> different server and listen-on is this server.
> 
True that.
I've put that IP address there as a test yesterday (or the day before) I
believe because I was having a problem in the logs showing the following
message:

"refused notify from non-master: 171.XX.YY.27#52860"

Problem that I've fixed in this way, putting the IP address of the server
itself in the allow-notify field along with the IP address of the master
one. Not sure that's a fix or a workaround, but I don't think that might
cause harm anyhow. Of course I might be wrong. :)


> > view "internal" {
> >         match-clients { !key TSIG-KEY; internal; datacentre; };
> 
> What defines that TSIG-KEY?  Notice it doesn't have the trailing period 
> "TSIG-KEY." as defined earlier.
> 
> From your later email:
> 
> > Files are identical within the DOMAIN, not the VIEW.
> > For example, on the slave server:
> > DOMAIN01.eu.int.zone
> > DOMAIN01.eu.ext.zone
> > 
> > are exactly the same (also same checksum)
> 
> Are they a copy of the internal or external view's zone on the master?
> 
I apologise. The trailing period got lost during the name substitution with
vi. It's just a "typo". In normal config there's not such a thing.

Basically if I've the directive "!key TSIG-KEY." in the match-client field,
all affected files get the content of the external view's zone. If there's
"key TSIG-KEY." instead I've got all the affected files with the internal
view's zone.

> It is a little difficult to follow the configuration when using maybe 
> fake IP addresses, fake zone names, and fake filenames. You may want to 
> simplify your named.conf to bare minimum (two views and one zone each) 
> for initial testing.
It is.
But the only things that I've changed are the public IP addresses and the
domain names which affect also file names and the TSIG name. 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
 
 Sponsor:
 Offerte last minute Rimini, Riccione, Cattolica e Misano negli hotel per
famiglie con pacchetti tutto compreso per le vacanze al mare con bambini.
Animazione e servizio spiaggia
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12534&d=20120824


 
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 
 Sponsor:
 Offerte hotel + parco per pacchetti con ingresso incluso ai parchi divertimento della romagna, negli hotel Rimini, Riccione, Cattolica e Misano
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12536&d=24-8



More information about the bind-users mailing list