DNS views and zone transfers

Bob Harold rharolde at umich.edu
Wed Sep 7 16:46:29 UTC 2016 

On Wed, Sep 7, 2016 at 12:34 PM, /dev/rob0 <rob0 at gmx.co.uk> wrote:

> On Wed, Sep 07, 2016 at 11:48:54AM -0400, Bob Harold wrote:
> > On Wed, Sep 7, 2016 at 11:37 AM, project722 <project722 at gmail.com>
> wrote:
> >
> > > Thanks Bob, I will look into this. Do you know if the forwarders
> > > feature is supported in Bind 9.8.2?
> > >
> > Yes, forwarders is an old and stable feature.
> >
> > ("in-view" is new and experimental)
>
> "New" is fair to say, if you call BIND 9.10 "new".  OTOH it is
> unfair/wrong to call it "experimental".  9.10 has been in stable
> release form for quite some time now, and there have been no problems
> with the in-view zone feature, AFAIK.


My apologies.  You are correct, it is just not fossilized enough to be the
default in most Linux distros.


> > > On Wed, Sep 7, 2016 at 9:38 AM, Bob Harold <rharolde at umich.edu> wrote:
> > >
> > >>
> > >> On Tue, Sep 6, 2016 at 5:23 PM, project722 <project722 at gmail.com>
> wrote:
>
> snip
> > >> Here is the basic structure:
> > >>
> > >> view "internal" {
> > >>     match-clients {
> > >>           // this list must not match 127.0.0.1
> > >>           !key "external";   // use this key to test the external view
> > >>           10.0.0.0/8;
> > >>           key "internal";   // use this key to test the internal view
> > >>     };
> > >>     zone "itd.umich.edu" {    // this zone is different in the two
> views
> > >>           type master;
> > >>           file "internal/itd.umich.edu";
> > >>     };
> > >>     forwarders {
> > >>           // forward to external view
> > >>           127.0.0.1;
>
> I have never thought to try this, but I would not expect it to work.
> Does it?


It works, and avoids having extra copies of the zones on disk and in memory
(I don't have 9.10).  Downsides are the caching in both views, and query
logging (if enabled) logs it twice.

> >>     };
> > >>     forward only;        // optional
> > >> };
> > >> view "external" {
> > >>     match-clients {
> > >>           // this list must match 127.0.0.1
> > >>           any;
> > >>     };
> > >>     zone "itd.umich.edu" {    // this zone is different in the two
> views
> > >>           type master;
> > >>           file "external/itd.umich.edu";
> > >>     };
> > >>     zone "10.in-addr.arpa" {   // all other zones will be seen by
> everyone
> > >>           type master;
> > >>           file "external/arpa.in-addr.10";
> > >>     };
> > >>     zone "umich.edu" {
> > >>           type master;
> > >>           file "external/com.umich";
> > >>     };
> > >> };
>
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160907/179b2667/attachment.html>

More information about the bind-users mailing list