Slave displaying all domain info when using $INCLUDE on master
Cathy Almond
cathya at isc.org
Thu Sep 5 09:15:12 UTC 2013
On 05/09/13 09:54, Jobst Schmalenbach wrote:
> Hi.
>
> I have a master/slave combo, the master is ok, displays the correct info when queried, but the slave displays too much info, including the internal stuff.
>
> The master uses two zone files (*internal and *external) that each include different files using $INLCUDES each containing different information 1) the external includes domain names that the world needs to know and 2) the internal includes the world stuff + internal domain names.
>
> I am displaying the config info for one of the domains I am most concerned about (the master is 220.233.246.146, the slave is 220.233.37.60).
> Currently the slave nameserver will REFUSE external queries until I fix this => allow-query { internal; };
>
> Master /etc/named.conf:
> acl "internal" { localhost; 192.168.0.0/16; 10.1.0.0/16; 220.233.246.146; };
> acl "external" { any; localhost; };
> view "internal" {
> match-clients { "internal"; };
> recursion yes;
> zone "barrett.com.au" {
> type master;
> file "pz/barrett.com.au.internal";
> forwarders {};
> allow-update { localhost; };
> also-notify { 220.233.37.60; };
> notify explicit;
> };
> }
> view "external" {
> match-clients { any; };
> recursion no;
> zone "barrett.com.au" {
> type master;
> file "pz/barrett.com.au.external";
> forwarders {};
> allow-update { localhost; };
> also-notify { 220.233.37.60; };
> notify explicit;
> };
> }
>
> MASTER pz/barrett.com.au.internal:
> $TTL 7200;
> @ IN SOA ns1.barrettconsulting.com.au. hostmaster.barrettconsulting.com.au. (
> 2013090530 ; serial
> 3h ; refresh after 3 hours
> 1h ; retry after 1 hour
> 2w ; expire after 1 week
> 1h ) ; negative caching TTL of one hour
> IN TXT "Barrett Consulting Group Name Server"
> IN SPF "v=spf a mx ptr mx:mail.barrett.com.au mx:mail2.barrett.com.au mx:mail.salesessentials.com ip4:118.127.20.99 ip4:220.233.246.146 -all"
> IN NS ns1.barrettconsulting.com.au.
> IN NS ns2.barrettconsulting.com.au.
> IN MX 10 mail.barrett.com.au.
> IN MX 100 mail2.barrett.com.au.
> $INCLUDE pz/barrett.com.au.internal.zone_data
>
> MASTER pz/barrett.com.au.external:
> $TTL 7200;
> @ IN SOA ns1.barrettconsulting.com.au. hostmaster.barrettconsulting.com.au. (
> 2013090530 ; serial
> 3h ; refresh after 3 hours
> 1h ; retry after 1 hour
> 2w ; expire after 1 week
> 1h ) ; negative caching TTL of one hour
> IN TXT "Barrett Consulting Group Name Server"
> IN SPF "v=spf a mx ptr mx:mail.barrett.com.au mx:mail2.barrett.com.au mx:mail.salesessentials.com ip4:118.127.20.99 ip4:220.233.246.146 -all"
> IN NS ns1.barrettconsulting.com.au.
> IN NS ns2.barrettconsulting.com.au.
> IN MX 10 mail.barrett.com.au.
> IN MX 100 mail2.barrett.com.au.
> $INCLUDE pz/barrett.com.au.external.zone_data
>
> This works VERY FINE for the MASTER, e.g. if I query the namesever from an outside network and request an internal address it will diplay
>
> ** server can't find dev.barrett.com.au: NXDOMAIN
>
> but on the slave BOTH zone files have the same information in them including external and internal zone data (which I do not want)
> Slave /etc/named.conf:
>
> acl "internal" { localhost; 192.168.0.0/16; 10.1.0.0/16; 220.233.37.60; };
> acl "external" { any; localhost; };
> view "internal" {
> match-clients { "internal"; };
> recursion yes;
> zone "barrett.com.au" {
> type slave;
> file "pz/bak.barrett.com.au.internal";
> forwarders { };
> masters { 220.233.246.146; };
> notify no;
> };
> }
> view "external" {
> match-clients { any; };
> recursion no;
> zone "barrett.com.au"{
> type slave;
> file "pz/bak.barrett.com.au.external";
> forwarders {};
> masters { 220.233.246.146; };
> notify no;
> };
> }
>
>
> Now, is it incorrect that I can have separate zone files on the slave (each containing different info)?
>
> If this is possible, what am I doing wrong to get this to work?
>
>
> thanks
> Jobst
You don't have anything in place to distinguish the zone transfers from
the slave as being for a specific view (internal or external).
The preferred way is by using TSIG (because it's clearer/easier to
configure and manage).
See: https://kb.isc.org/article/AA-00296
You can also distinguish between requests by controlling the source
addresses of the slave when it requests a zone fresh from the master so
that it uses a different IP for each view (and configure the master
accordingly), but there isn't a worked example of this in the KB.
Cathy
More information about the bind-users
mailing list