Bind 9 with Views: zone transfer refused from master to slave

Lightner, Jeffrey JLightner at dsservices.com
Wed Jul 3 20:04:02 UTC 2019


You have to use separate IPs for the separate views on the master and the slave.

Here we just put alias IPs on the primary interfaces and use those for the second view.


From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Roberto Carna
Sent: Wednesday, July 03, 2019 3:21 PM
To: ML BIND Users <bind-users at lists.isc.org>
Subject: Bind 9 with Views: zone transfer refused from master to slave

Hi people, I have a master/slave Bind 9.10.3 servers configured with views and TSIG keys on a Debian 9 host. But the transfer from master to slave is refused in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com<http://black.com> and white.com<http://white.com>, with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in the zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
        algorithm hmac-md5;
        secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        also-notify { 10.0.0.2; };
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24<http://10.10.0.0/24>; };
acl two { !key one; !key three; key two; 10.10.1.0/24<http://10.10.1.0/24>; };
acl three { !key one; !key two; key three; 10.10.2.0/24<http://10.10.2.0/24>; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com<http://black.com>." {
    type master;
    file "/etc/bind/zones/black.com.one.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com<http://white.com>" {
    type master;
    file "/etc/bind/zones/white.com.one.db";
    also-notify { 10.0.0.2 key one; };
};
};

view "two" {
    match-clients { two; };
    server 10.0.0.2 { keys two; };
    recursion yes;
    allow-transfer { key two; };

zone "black.com<http://black.com>." {
    type master;
    file "/etc/bind/zones/black.com.two.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com<http://white.com>" {
    type master;
    file "/etc/bind/zones/white.com.two.db";
    also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        allow-transfer {"none";};
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24<http://10.10.0.0/24>; };
acl two { !key one; !key three; key two; 10.10.1.0/24<http://10.10.1.0/24>; };
acl three { !key one; !key two; key three; 10.10.2.0/24<http://10.10.2.0/24>; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com<http://black.com>" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.one.db";
};

zone "white.com<http://white.com>" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
    match-clients { two; };
    server 10.0.0.1 { keys two; };
    recursion yes;

zone "black.com<http://black.com>" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.two.db";
};

zone "white.com<http://white.com>" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.two.db";
};

};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/535a6c90/attachment-0001.html>


More information about the bind-users mailing list