Bind 9 with Views: zone transfer refused from master to slave

Roberto Carna robertocarna36 at gmail.com
Wed Jul 3 19:20:39 UTC 2019


Hi people, I have a master/slave Bind 9.10.3 servers configured with views
and TSIG keys on a Debian 9 host. But the transfer from master to slave is
refused in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com and white.com,
with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in
the zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
        algorithm hmac-md5;
        secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        also-notify { 10.0.0.2; };
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.one.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.one.db";
    also-notify { 10.0.0.2 key one; };
};
};

view "two" {
    match-clients { two; };
    server 10.0.0.2 { keys two; };
    recursion yes;
    allow-transfer { key two; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.two.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.two.db";
    also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        allow-transfer {"none";};
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
    match-clients { two; };
    server 10.0.0.1 { keys two; };
    recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.two.db";
};

};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/85916c16/attachment.html>


More information about the bind-users mailing list