<div dir="ltr">Thanks Bob, that is exactly what I ended up doing. And its working great now. You are also right about the view selection. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 26, 2016 at 3:43 PM, Bob Harold <span dir="ltr"><<a href="mailto:rharolde@umich.edu" target="_blank">rharolde@umich.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div data-smartmail="gmail_signature"><br></div></div><div class="gmail_quote"><span class="">On Thu, Aug 25, 2016 at 6:25 PM, project722 <span dir="ltr"><<a href="mailto:project722@gmail.com" target="_blank">project722@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Actually, I got to thinking about this. The "other_allowed_ns" ACL is in the global options, along with an "allow-transfer" for that ACL. So, I *think* they will still be able to zone transfer via the global option based on simply IP. BUT...since I have multiple views, which zones from which views get sent over to these servers and how will they know how to handle the info if zones from both views get sent. Would something like this help:<div><br></div><div>allow-transfer { other_allowed_ns; view "external"; };</div><div><br></div><div>So they only get sent the zones from the external view?</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 25, 2016 at 5:14 PM, project722 <span dir="ltr"><<a href="mailto:project722@gmail.com" target="_blank">project722@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="font-size:12.8px">I have successfully setup TSIG keys for "views" using a DNS master/server pair. Zone transfers are working as expected between the 2 servers for each view. Before we go live into production with this I need some clarification on a couple things. Our prod servers are also allowing zone transfers to a few other servers besides the slave server. We have an acl setup that looks similar to this:</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div></div></div></div></blockquote></div></div></div></div></blockquote><div> </div></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-size:12.8px"><div> {</div><div><div class="h5"><div>x.x.x.x; // This is our Secondary DNS server</div><div>127.0.0.1; // localhost can make zone transfers<br></div><div>x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>}; // end of "other_xfer_allowed" ACL<br></div></div></div></div><div><div class="h5"><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">And in the "allow transfer" statement we have included that ACL. My question is:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Now that we are using TSIG, will I need to get with the admins of all these other servers and provide them my TSIG key so they can request zone transfers? I would think somehting like that needs to be done since it was required to be configured on slave server, but I am not sure. I'd rather do an IP based control just for these other servers instead of TSIG but I am not sure how that would look or how to set that up in the context of my config. How can I tell my conf to NOT force these other xfer allowed servers to use TSIG and use IP only? This gets complicated when you start throwing views into the mix. </div><div style="font-size:12.8px"><br></div><div><div><span style="font-size:12.8px">acl internal {</span></div><div><span style="font-size:12.8px"> <a href="http://192.168.200.0/24" target="_blank">192.168.200.0/24</a>; // corpnet</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> acl external {</span></div><div><span style="font-size:12.8px"> <a href="http://192.168.201.0/24" target="_blank">192.168.201.0/24</a>;</span></div><div><span style="font-size:12.8px"> <a href="http://192.168.202.0/24" target="_blank">192.168.202.0/24</a>;</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> </span></div><div><span style="font-size:12.8px"> </span><span style="font-size:12.8px">other_xfer_allowed_ns {</span></div><div style="font-size:12.8px"><div>x.x.x.x; // This is our Secondary DNS server</div><div>127.0.0.1; // localhost can make zone transfers<br></div><div>x.x.x.x/24; // Server Farm Range is allowed to make zone-transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>x.x.x.x/24; // NAT pool for internal DNS server Zone Transfers</div><div>}; // end of "other_xfer_allowed" ACL<br></div><div><br></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> key "tsigkey" {</span></div><div><span style="font-size:12.8px"> algorithm HMAC-SHA512;</span></div><div><span style="font-size:12.8px"> secret "xxxxxxxxx";</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"> </span></div><div><span style="font-size:12.8px"> key "tsigkeyext" {</span></div><div><span style="font-size:12.8px"> algorithm HMAC-SHA512;</span></div><div><span style="font-size:12.8px"> secret "xxxxxxxxxx";</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> view "corpnet" {</span></div><div><span style="font-size:12.8px"> match-clients { internal; key tsigkey; </span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"> </span></div><div><span style="font-size:12.8px"> //IP of slave server</span></div><div><span style="font-size:12.8px"> server 192.168.173.78 {</span></div><div><span style="font-size:12.8px"> keys { tsigkey; };</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> also-notify {</span></div><div><span style="font-size:12.8px"> 192.168.173.78; </span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone "." IN {</span></div><div><span style="font-size:12.8px"> type hint;</span></div><div><span style="font-size:12.8px"> file "<a href="http://named.ca" target="_blank">named.ca</a>";</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone"<a href="http://internalzone1.com" target="_blank">internalzone1.com</a>" IN {</span></div><div><span style="font-size:12.8px"> type master;</span></div><div><span style="font-size:12.8px"> file "<a href="http://internalzone1.com" target="_blank">internalzone1.com</a>";</span></div><div><span style="font-size:12.8px"> allow-transfer { key tsigkey; };</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone"<a href="http://sharedzone.com" target="_blank">sharedzone.com</a>" IN {</span></div><div><span style="font-size:12.8px"> type master;</span></div><div><span style="font-size:12.8px"> file "<a href="http://sharedzone1.com" target="_blank">sharedzone1.com</a>";</span></div><div><span style="font-size:12.8px"> allow-transfer { key tsigkey; };</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> include "/etc/named.rfc1912.zones";</span></div><div><span style="font-size:12.8px"> include "/etc/named.root.key";</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> view "external" {</span></div><div><span style="font-size:12.8px"> match-clients { external; key tsigkeyext; };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> //IP of slave server</span></div><div><span style="font-size:12.8px"> server 192.168.173.78 {</span></div><div><span style="font-size:12.8px"> keys { tsigkeyext; };</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"> </span></div><div><span style="font-size:12.8px"> also-notify {</span></div><div><span style="font-size:12.8px"> 192.168.173.78; </span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone "." IN {</span></div><div><span style="font-size:12.8px"> type hint;</span></div><div><span style="font-size:12.8px"> file "<a href="http://named.ca" target="_blank">named.ca</a>";</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone"<a href="http://externalzone1.com" target="_blank">externalzone1.com</a>" IN {</span></div><div><span style="font-size:12.8px"> type master;</span></div><div><span style="font-size:12.8px"> file "externalzone1";</span></div><div><span style="font-size:12.8px"> allow-transfer { key tsigkeyext; };</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> zone"<a href="http://sharedzone.com" target="_blank">sharedzone.com</a>" IN {</span></div><div><span style="font-size:12.8px"> type master;</span></div><div><span style="font-size:12.8px"> file "<a href="http://sharedzone2.com" target="_blank">sharedzone2.com</a>";</span></div><div><span style="font-size:12.8px"> allow-transfer { key tsigkeyext; };</span></div><div><span style="font-size:12.8px"> };</span></div><div><span style="font-size:12.8px"> include "/etc/named.rfc1912.zones";</span></div><div><span style="font-size:12.8px"> include "/etc/named.root.key";</span></div><div><span style="font-size:12.8px"> };</span></div><div style="font-size:12.8px"><br></div></div></div></div></div></blockquote></div></div></div></div></blockquote><div><br></div><div>"<span style="color:rgb(0,0,0);font-size:12.8px">allow-transfer { key tsigkeyext; };" means that the key </span> <span style="color:rgb(0,0,0);font-size:12.8px">tsigkeyext is the only way to transfer this zone.</span></div><div><span style="color:rgb(0,0,0);font-size:12.8px"><br></span></div><div><span style="color:rgb(0,0,0);font-size:12.8px">You define "</span><span style="color:rgb(80,0,80);font-size:12.8px">other_xfer_allowed_ns" but I do not see it used anywhere.</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">Most likely what you want is:</span></div><div><font color="#500050"><span style="font-size:12.8px">allow-transfer { key tsigkeyext; </span></font><span style="color:rgb(80,0,80);font-size:12.8px">other_xfer_<wbr>allowed_ns; </span><span style="font-size:12.8px;color:rgb(80,0,80)">};</span></div></div>So that either the TSIG key can be used, or any of the IP's can transfer regardless of TSIG.</div><div class="gmail_extra">(I don't know of a way to restrict a transfer to a specific IP *and* require TSIG)</div><div class="gmail_extra"><br></div><div class="gmail_extra">As to which view they "see", the "<span style="color:rgb(80,0,80);font-size:12.8px">match-clients" determines that. They will only ever hit one view with a given request. So a transfer will only get the zone from that particular view.</span></div><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px">Hope that makes it clearer.</span></div><span class="HOEnZb"><font color="#888888"><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px">-- </span></div><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px">Bob Harold</span></div><div class="gmail_extra"><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div></font></span></div>
</blockquote></div><br></div>