inline-signing a zone that exists in two views

Gordon Messmer gordon.messmer at gmail.com
Tue May 9 23:42:24 UTC 2017


On 05/09/2017 03:15 AM, Tony Finch wrote:
> The classic solution is to make one view a slave of the other. Configure
> the slave zone with `masters { localhost key my-tsig; };` and configure
> the master view with `match-clients { key my-tsig; };`.


OK, I think I've got this nailed down.  I had to move the "public" view 
so that it was listed first in named.conf.  That view previously had no 
match-client setting, but now is set to "match-clients   { key tsig-key; 
!localhost; 0.0.0.0/0; };" so that it allows access with the key but 
does not match localhost otherwise (which would result in refusing 
recursion) but does include the rest of the IPv4 space.  The zone in the 
"local" view is now a slave with "masters { 127.0.0.1 key tsig-key; };"

Seems to work.  Localhost can look up records in the zone as well as 
external records.  External hosts can get records from the zone, but 
can't make recursive requests.

I'm happy that it's working, but it seems like it was fairly difficult 
to get right.  Am I doing an unusual thing?  Is it considered 
best-practice (or just normal) for authoritative servers to just not use 
the local server for resolution?

Thanks for your help!



More information about the bind-users mailing list