Shared dynamic zone on external view?

Mark Andrews marka at isc.org
Wed Nov 7 22:23:05 UTC 2012


In message <509A8796.7060005 at nryc.fr>, "Nicolas C." writes:
> Hello,
> 
> I have a dynamic zone on an external view, this zone is updated with a 
> TSIG key from outside of our network. There is a secondary DNS server, 
> also outside our network on which zones transfers are working fine with 
> no key.
> 
> We would like to make one of our internal DNS secondary for this zone 
> and we have the "dynamic zone shared between views" problem. I tried to 
> follow the FAQ but no luck so far.
> 
> I'm not sure that what I'm trying to do is possible, can someone confirm 
> this?
> 
> Should I follow the FAQ and make my dynamic zone "master" on the 
> "internal" view? That makes less sense to us because this are public 
> zones, updated from the outsite.
> 
> This is my configuration :
> 
> view "internal" {
>    match-clients {
> 
>      !key external;
>      key shared;
> 
>      <IPv4/IPv6 ranges including IPv4-of-my-DNS>
>    };
> 
>    zone "<my_zone>" {
>      type slave;
>      file "db.shared-int";
>      masters { IPv4-of-my-DNS; };

You need to force the internal zone to talk to the external zone.

	masters { IPv4-of-my-DNS key external; };

>      transfer-source IPv4-of-my-DNS;
>    };
> };
> 
> view "external" {
> 
>    match-clients { !key shared; any };
>    allow-transfer { IPv4-of-my-DNS; };
>    server IPv4-of-my-DNS; { keys { shared; }; };
> 
>    zone "<my_zone>" {
>      type master;
>      file "db.shared-ext";
>      notify yes;
>      also-notify { IPv4-of-my-DNS; };
> 
>      update-policy {
>        grant another-key subdomain <my_zone> ANY;
>        grant principal at REA.LM subdomain <my_zone> ANY;
>      };
> };
> 
> When I reload the configuration or try to initiate a zone transfer with 
> dig and the "shared" key, I have this message in the logs.
> 
> zone <my_zone>/IN/internal: refresh: unexpected rcode (SERVFAIL) from 
> master IPv4-of-my-DNS#53 (source IPv4-of-my-DNS#0)
> 
> Regards,
> 
> Nicolas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list