[Question] zone transfer issue with multiple views

Eoin Kim Eoin.Kim at rcst.com.au
Fri Dec 8 22:37:10 UTC 2017


Hi,


Thanks for your help. But is it possible to do it without additional IP address? I thought that I am not really bad with BIND but as soon as I started using views, I'm going nowhere [😊]


I found related links:

  *   ​https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html (I believe my scenario would be example 3 or 4)
  *   https://kb.isc.org/article/AA-00723/0 (Because I really want to use TSIG)

Do I have to use a tarball from ISC to do this? Debian's BIND has a version of 9.9.5 so version-wise, it looks alright to me. Thanks again.

Eoin


________________________________
From: Lightner, Jeffrey <JLightner at dsservices.com>
Sent: Friday, 8 December 2017 11:38 PM
To: Lightner, Jeffrey; Eoin Kim; bind-users at lists.isc.org
Subject: RE: [Question] zone transfer issue with multiple views


Sorry that 10.0.9.9 should be 10.9.9.9 – i.e. notify-source and transfer-source are the same IP within the same view.





From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Lightner, Jeffrey
Sent: Friday, December 08, 2017 8:34 AM
To: Eoin Kim; bind-users at lists.isc.org
Subject: RE: [Question] zone transfer issue with multiple views

When we did it here we setup separate notify-source and transfer-source within the views on both the master and the slave.

view "internal" {

match-clients { internaldns; };

notify-source 10.9.9.8.;

transfer-source 10.9.9.8;

allow-transfer { dnsservers; };

…then our zones for internal view

Internaldns acl is one that we specify servers inside our network.
dnsserrvers acl is one that specifies the primary internal facing IP of the master and the slave

view "external" {

match-clients { any; };

notify-source 10.9.9.9;

transfer-source 10.0.9.9;

allow-transfer { dswadnsalias; };
…then our zones for external view

any allows external locations to query us (we have recursion turned off)
dswadnsalias  acl is one that specifies the alias IPs on the same NIC as the internal facing IP of the master and the slave

The IPs above would be on the master – you’d have separate IPs (but the same ACLs) on the slave.



You can create an alias IP on your primary NIC so for example here we have:
eth1 = 10.9.9.8

eth1:1 = 10.0.9.9

(In our config eth0 is the one we use for external facing traffic – eth1 is used for internal including zone transfers)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171208/e3e69c33/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-?.png
Type: image/png
Size: 488 bytes
Desc: OutlookEmoji-?.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171208/e3e69c33/attachment.png>


More information about the bind-users mailing list