Slave displaying all domain info when using $INCLUDE on master

Cathy Almond cathya at isc.org
Thu Sep 5 09:15:12 UTC 2013 

On 05/09/13 09:54, Jobst Schmalenbach wrote:
> Hi.
> 
> I have a master/slave combo, the master is ok, displays the correct info when queried, but the slave displays too much info, including the internal stuff.
> 
> The master uses two zone files (*internal and *external) that each include different files using $INLCUDES each containing different information 1) the external includes domain names that the world needs to know and 2) the internal includes the world stuff + internal domain names.
> 
> I am displaying the config info for one of the domains I am most concerned about (the master is 220.233.246.146, the slave is 220.233.37.60).
> Currently the slave nameserver will REFUSE external queries until I fix this => allow-query { internal; };
> 
> Master /etc/named.conf:
>    acl "internal" { localhost; 192.168.0.0/16; 10.1.0.0/16; 220.233.246.146; };
>    acl "external" { any; localhost; };
>    view "internal" {
>        match-clients { "internal"; };
>        recursion yes;
>        zone "barrett.com.au" {
>          type master;
>          file "pz/barrett.com.au.internal";
>          forwarders {};
>          allow-update { localhost; };
>          also-notify { 220.233.37.60; };
>          notify explicit;
>        };
>    }
>    view "external" {
>        match-clients { any; };
>        recursion no;
>        zone "barrett.com.au" {
>          type master;
>          file "pz/barrett.com.au.external";
>          forwarders {};
>          allow-update { localhost; };
>          also-notify { 220.233.37.60; };
>          notify explicit;
>        };
>    }
> 
> MASTER pz/barrett.com.au.internal:
>    $TTL 7200;
>    @ IN SOA ns1.barrettconsulting.com.au. hostmaster.barrettconsulting.com.au. (
>                    2013090530   ; serial
>                    3h           ; refresh after 3 hours
>                    1h           ; retry after 1 hour
>                    2w           ; expire after 1 week
>                    1h )         ; negative caching TTL of one hour
>            IN TXT "Barrett Consulting Group Name Server"
>            IN SPF "v=spf a mx ptr mx:mail.barrett.com.au mx:mail2.barrett.com.au mx:mail.salesessentials.com ip4:118.127.20.99 ip4:220.233.246.146 -all"
>            IN NS  ns1.barrettconsulting.com.au.
>            IN NS  ns2.barrettconsulting.com.au.
>            IN MX  10  mail.barrett.com.au.
>            IN MX  100 mail2.barrett.com.au.
>    $INCLUDE pz/barrett.com.au.internal.zone_data
> 
> MASTER pz/barrett.com.au.external:
>    $TTL 7200;
>    @ IN SOA ns1.barrettconsulting.com.au. hostmaster.barrettconsulting.com.au. (
>                    2013090530   ; serial
>                    3h           ; refresh after 3 hours
>                    1h           ; retry after 1 hour
>                    2w           ; expire after 1 week
>                    1h )         ; negative caching TTL of one hour
>            IN TXT "Barrett Consulting Group Name Server"
>            IN SPF "v=spf a mx ptr mx:mail.barrett.com.au mx:mail2.barrett.com.au mx:mail.salesessentials.com ip4:118.127.20.99 ip4:220.233.246.146 -all"
>            IN NS  ns1.barrettconsulting.com.au.
>            IN NS  ns2.barrettconsulting.com.au.
>            IN MX  10  mail.barrett.com.au.
>            IN MX  100 mail2.barrett.com.au.
>    $INCLUDE pz/barrett.com.au.external.zone_data
> 
> This works VERY FINE for the MASTER, e.g. if I query the namesever from an outside network and request an internal address it will diplay
> 
>   ** server can't find dev.barrett.com.au: NXDOMAIN
> 
> but on the slave BOTH zone files have the same information in them including external and internal zone data (which I do not want)
> Slave /etc/named.conf:
> 
>   acl "internal" { localhost; 192.168.0.0/16; 10.1.0.0/16; 220.233.37.60; };
>   acl "external" { any; localhost; };
>   view "internal" {
>       match-clients { "internal"; };
>       recursion yes;
>       zone "barrett.com.au" {
>         type slave;
>         file "pz/bak.barrett.com.au.internal";
>         forwarders { };
>         masters { 220.233.246.146; };
>         notify no;
>       };
>   }
>   view "external" {
>      match-clients { any; };
>      recursion no;
>      zone "barrett.com.au"{
>        type slave;
>        file "pz/bak.barrett.com.au.external";
>        forwarders {};
>        masters { 220.233.246.146; };
>        notify no;
>      };
>   }
> 
> 
> Now, is it incorrect that I can have separate zone files on the slave (each containing different info)?
> 
> If this is possible, what am I doing wrong to get this to work?
> 
> 
> thanks
> Jobst

You don't have anything in place to distinguish the zone transfers from
the slave as being for a specific view (internal or external).

The preferred way is by using TSIG (because it's clearer/easier to
configure and manage).

See: https://kb.isc.org/article/AA-00296

You can also distinguish between requests by controlling the source
addresses of the slave when it requests a zone fresh from the master so
that it uses a different IP for each view (and configure the master
accordingly), but there isn't a worked example of this in the KB.

Cathy

More information about the bind-users mailing list