Bind 9 with Views: zone transfer refused from master to slave
Roberto Carna
robertocarna36 at gmail.com
Wed Jul 3 19:20:39 UTC 2019
Hi people, I have a master/slave Bind 9.10.3 servers configured with views
and TSIG keys on a Debian 9 host. But the transfer from master to slave is
refused in the slave side, there is no a descriptive error.
In both Views I have delegated the same two zones: black.com and white.com,
with different records according to the view.
Please if I send my configuration, can you help me to detect the fail in
the zone transfer from master to slave??? Thanks a lot in advance.
MASTER
named.conf:
key "rndc-key" {
algorithm hmac-md5;
secret "+PGWO1r5rrT8hcA47Anu0w==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
named.conf.options:
options {
directory "/var/cache/bind";
also-notify { 10.0.0.2; };
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};
named.conf.local:
key one {
algorithm HMAC-MD5;
secret "uohej/pa1oLBK4Cfhi3zAA==";
};
key two {
algorithm HMAC-MD5;
secret "HcKSpnKhqg/+KFvOg2uTag==";
};
key three {
algorithm HMAC-MD5;
secret "1JikGx1kdjq/cTCsi36/JQ==";
};
acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };
view "one" {
match-clients { one; };
server 10.0.0.2 { keys one; };
recursion yes;
allow-transfer { key one; };
zone "black.com." {
type master;
file "/etc/bind/zones/black.com.one.db";
also-notify { 10.0.0.2 key one; };
};
zone "white.com" {
type master;
file "/etc/bind/zones/white.com.one.db";
also-notify { 10.0.0.2 key one; };
};
};
view "two" {
match-clients { two; };
server 10.0.0.2 { keys two; };
recursion yes;
allow-transfer { key two; };
zone "black.com." {
type master;
file "/etc/bind/zones/black.com.two.db";
also-notify { 10.0.0.2 key one; };
};
zone "white.com" {
type master;
file "/etc/bind/zones/white.com.two.db";
also-notify { 10.0.0.2 key one; };
};
};
SLAVE
named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
named.conf.options:
options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};
named.conf.local:
key one {
algorithm HMAC-MD5;
secret "uohej/pa1oLBK4Cfhi3zAA==";
};
key two {
algorithm HMAC-MD5;
secret "HcKSpnKhqg/+KFvOg2uTag==";
};
key three {
algorithm HMAC-MD5;
secret "1JikGx1kdjq/cTCsi36/JQ==";
};
acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };
view "one" {
match-clients { one; };
server 10.0.0.1 { keys one; };
recursion yes;
zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.one.db";
};
zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.one.db";
};
};
view "two" {
match-clients { two; };
server 10.0.0.1 { keys two; };
recursion yes;
zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.two.db";
};
zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.two.db";
};
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/85916c16/attachment.html>
More information about the bind-users
mailing list