<div dir="ltr">Hi Jiaming.<div>The arguments to "also-notify {...};" are explicit IP addresses.</div><div><br></div><div>Why do you need it? Do you have some secondaries that are not listed as NS in zones?</div><div><br></div><div>Regarding views. Why would you have the same zone in an internal and external view? A few years ago, having to maintain multiple zones of the same name but different contents caused me problems daily. I would recommend having internal zones be proper delegations from external zones. e.g.:</div><div>external "<a href="http://example.com">example.com</a>"</div><div>internal "<a href="http://internal.example.com">internal.example.com</a>"</div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 17 Apr 2023 at 14:41, Jiaming Zhang <<a href="mailto:J.Zhang@yiximeta.com">J.Zhang@yiximeta.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div dir="ltr">
<div></div>
<div>
<div>
<div dir="ltr"><span id="m_-8442640279591798171ms-outlook-ios-cursor"></span>Dear Nick, </div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Thanks for the reply. What was already set that I didn't include in my first mail was that both views on both servers have
<code>match-clients</code> set (for internal set to "localhost" and "localnets", and for external set to "any"), so I'll add the keys also to the
<code>match-clients</code>. </div>
<div dir="ltr"><br>
</div>
<div dir="ltr">However, I got a question on the syntax of <code>also-notify</code>, what I can see from bind9's user manual, the target of
<code>also-notify</code> can be <code><remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ]</code>, does this means that I can use domain names of the server instead of IP? Both name server has IPv4 (single or multiple)
and IPv6 glued with the domain name, and I was wondering if by setting domain name instead of IP, bind will intelligently find if it would need to communicate with which IP (like it currently do with
<code>notify yes</code>). I asked because if by any chance for whatever reason sending notify was failed to a certain IP, it may look up any other available IP that is defined with the related domain name (at least from my observation).</div>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I was also confused what you exactly referred to with '"primaries" (or "masters" in old terminology) statement that includes the correct key name', I assume you mean I need to point which is the master and the keys to communicate with this specific
master on the slave server. For the reference, I attached the related config on slave below.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">```</div>
<span dir="ltr" style="font-family:-webkit-standard;text-decoration:none">zone "<a href="http://example.com" target="_blank">example.com</a>" IN {</span>
<div dir="ltr" style="font-family:-webkit-standard;text-decoration:none">
<div>type slave;</div>
<div>masters { <ip of master>; };</div>
<div>file "/path/to/file";</div>
<div>allow-query { any; };</div>
<div>notify yes; # will become "explicit"</div>
</div>
<span dir="ltr" style="font-family:-webkit-standard;text-decoration:none">};</span>
<div dir="ltr">```</div>
<div id="m_-8442640279591798171ms-outlook-mobile-signature">
<div><br>
</div>
<div dir="ltr">
<div style="direction:ltr" dir="auto">Kind regards, </div>
<div style="direction:ltr" dir="auto">Jiaming Zhang</div>
<div style="direction:ltr" dir="ltr"><br>
</div>
<div style="direction:ltr" dir="auto"><b>Yixi Meta</b></div>
<div style="direction:ltr;font-size:14px" dir="auto"><b>Tel: +31 (6) 12 98 08 07</b></div>
<div style="direction:ltr;font-size:14px" dir="auto"><b>Email: <a href="mailto:J.Zhang@yiximeta.com" target="_blank">J.Zhang@yiximeta.com</a></b></div>
<div style="direction:ltr;font-size:14px" dir="auto"><b>Website: <a href="http://yiximeta.com" target="_blank">yiximeta.com</a>
<div dir="auto" style="font-weight:400;font-family:Calibri,Arial,Helvetica,sans-serif;margin:0px;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<b>
<div dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)">
<span dir="auto" style="font-size:13px;margin:0px;background-color:rgb(255,255,255)"><b><br>
</b></span></div>
<span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:13px;margin:0px;background-color:rgb(255,255,255)"><i><b style="font-style:normal"><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:8pt;margin:0px;background-color:rgb(255,255,255)"><i><b style="font-style:normal;font-size:14px"><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:13px;margin:0px;background-color:rgb(255,255,255)"><i><b style="font-style:normal"><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-family:Arial,Helvetica,sans-serif;font-size:8pt;margin:0px;background-color:rgb(255,255,255)"><i>De
informatie in dit bericht is uitsluitend bestemd voor de geadresseerde. Aan dit bericht en de bijlagen kunnen geen rechten worden ontleend. Heeft u deze e-mail onbedoeld ontvangen? Dan verzoeken wij u het te vernietigen en de afzender te informeren. Openbaar
maken, kopiëren en verspreiden van deze e-mail of informatie uit deze e-mail is alleen toegestaan met voorafgaande schriftelijke toestemming van de afzender. Het Yixi Meta staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer
85744115.</i></span></span></b></i></span></span></b></i></span></span></b></i></span></span></b></div>
<span dir="ltr" style="font-weight:400;font-family:Calibri,Arial,Helvetica,sans-serif;margin:0px;color:rgb(0,0,0);background-color:rgb(255,255,255)"><b><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:13px;margin:0px;background-color:rgb(255,255,255)"><i><b style="font-style:normal"><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:8pt;margin:0px;background-color:rgb(255,255,255)"><i><br>
</i></span></span></b></i></span></span></b></span><span dir="auto" style="font-weight:400;font-family:Calibri,Arial,Helvetica,sans-serif;margin:0px;color:rgb(0,0,0);background-color:rgb(255,255,255)"><b><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-size:13px;margin:0px;background-color:rgb(255,255,255)"><i><b style="font-style:normal"><span dir="ltr" style="font-size:16px;font-weight:400;margin:0px;background-color:rgb(255,255,255)"><span dir="auto" style="font-family:Arial,Helvetica,sans-serif;font-size:8pt;margin:0px;background-color:rgb(255,255,255)"><i>The
content of this message is intended solely for the addressee. No rights can be derived from this message or its attachments. If you are not the intended recipient, we kindly request you to delete the message and inform the sender. It is strictly prohibited
to disclose, copy or distribute this email or the information inside it, without a written consent from the sender. Yixi Meta is registered with the Dutch Chamber of Commerce trade register with number 85744115.</i></span></span></b></i></span></span></b></span></b></div>
</div>
</div>
<div id="m_-8442640279591798171mail-editor-reference-message-container">
<hr style="display:inline-block;width:98%">
<div id="m_-8442640279591798171divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif"><b>Van:</b> bind-users <<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@lists.isc.org</a>> namens Nick Tait via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>><br>
<b>Verzonden:</b> maandag, april 17, 2023 1:03 PM<br>
<b>Aan:</b> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a> <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>><br>
<b>Onderwerp:</b> Re: Best practice MultiView
<div> </div>
</font></div>
<p>Hi Jiaming.</p>
<p>You'll also need "match-clients" in the first view (at least), so that the correct view handles the zone transfer request. As well as specifying 'the right key' in match-clients, you'll probably also want to specify 'not the wrong key', otherwise you won't
be able to query the view from any clients (e.g. on your internal network) that don't present any key in their request...<br>
</p>
<p>I've taken your example, and changed the key names to "<a href="http://internal.example.com" target="_blank">internal.example.com</a>" and "<a href="http://external.example.com" target="_blank">external.example.com</a>" (for clarity), and added the match-clients to it as follows:</p>
<blockquote>
<p>view "internal" {<br>
match-clients { key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; !key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; internal-networks; };<br>
zone "<a href="http://example.com" target="_blank">example.com</a>" IN {<br>
# some other config, master zone<br>
allow-transfer { key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; };<br>
notify yes;<br>
};<br>
# some more zone<br>
};<br>
view "external" {<br>
match-clients { key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; !key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; any; };<br>
zone "<a href="http://example.com" target="_blank">example.com</a>" IN {<br>
# some other config, master zone<br>
allow-transfer { key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; };<br>
notify yes;<br>
};<br>
};<br>
</p>
</blockquote>
<p>Note that I've included "internal-networks" in the internal view. This is simply to illustrate that you might also want the view to answer DNS requests from clients within your network.<br>
</p>
<p>There is one further improvement on the above, which is what Mark referred to below, which is where each view can include the respective key in NOTIFY messages. To do that, change "notify yes" to "notify explicit" and then use "also-notify" to specify the
secondary servers along with the key to use. Applying this to the above you get something like:</p>
<blockquote>
<p>view "internal" {<br>
match-clients { key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; !key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; internal-networks; };<br>
zone "<a href="http://example.com" target="_blank">example.com</a>" IN {<br>
# some other config, master zone<br>
allow-transfer { key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; };<br>
notify explicit;<br>
also-notify { 192.0.2.1 key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; };<br>
};<br>
# some more zone<br>
};<br>
view "external" {<br>
match-clients { key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; !key "<a href="http://internal.example.com" target="_blank">internal.example.com</a>"; any; };<br>
zone "<a href="http://example.com" target="_blank">example.com</a>" IN {<br>
# some other config, master zone<br>
allow-transfer { key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; };<br>
notify explicit;<br>
also-notify { 192.0.2.1 key "<a href="http://external.example.com" target="_blank">external.example.com</a>"; };<br>
};<br>
};</p>
</blockquote>
<p>The secondary server would need a similar match-clients set-up so that it associated the notify with the correct view (based on key). And as I'm sure you know it would also need a "primaries" (or "masters" in old terminology) statement that includes the
correct key name.<br>
</p>
<p>Nick.</p>
<p><br>
</p>
<div>On 17/04/23 22:12, Mark Andrews wrote:<br>
</div>
<blockquote type="cite">
<pre>You use keys as well when sending notify to select which view processes the notify
</pre>
<blockquote type="cite">
<pre>On 17 Apr 2023, at 18:44, Jiaming Zhang <a href="mailto:J.Zhang@yiximeta.com" target="_blank"><J.Zhang@yiximeta.com></a> wrote:
Dear community,
I was wondering if notifying and updating zones in different view (say "internal" and "external") between bind servers via different key is a good practice. I got a sample zone/config like below:
```
view "internal" { zone "<a href="http://example.com" target="_blank">example.com</a>" IN {
# some other config, master zone
allow-transfer { key key1; };
notify yes;
};
# some more zone
}
view "external" {
zone "<a href="http://example.com" target="_blank">example.com</a>" IN {
# some other config, master zone
allow-transfer { key key2; };
notify yes;
};
}
```
where both zones have the same name server (e.g. `<a href="http://ns1.example.com" target="_blank">ns1.example.com</a>` and `<a href="http://ns2.example.com" target="_blank">ns2.example.com</a>`). What I'm trying to archive is that and update on zones in "internal" view does not contaminate zones in "external" view, or vice versa. I was wondering if using different key to limit update is a good practice, since I'm expecting "external" view on slave server will also receive notify upon update on "internal" zone at master, but just unable to query update due to incorrect key.
Kind Regards,
Jiaming Zhang
Yixi Meta
Tel: +31 (6) 12 98 08 07
Email: <a href="mailto:J.Zhang@yiximeta.com" target="_blank">J.Zhang@yiximeta.com</a>
Website: <a href="http://yiximeta.com" target="_blank">yiximeta.com</a>
De informatie in dit bericht is uitsluitend bestemd voor de geadresseerde. Aan dit bericht en de bijlagen kunnen geen rechten worden ontleend. Heeft u deze e-mail onbedoeld ontvangen? Dan verzoeken wij u het te vernietigen en de afzender te informeren. Openbaar maken, kopiëren en verspreiden van deze e-mail of informatie uit deze e-mail is alleen toegestaan met voorafgaande schriftelijke toestemming van de afzender. Het Yixi Meta staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 85744115.
The content of this message is intended solely for the addressee. No rights can be derived from this message or its attachments. If you are not the intended recipient, we kindly request you to delete the message and inform the sender. It is strictly prohibited to disclose, copy or distribute this email or the information inside it, without a written consent from the sender. Yixi Meta is registered with the Dutch Chamber of Commerce trade register with number 85744115.
--
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre></pre>
</blockquote>
</div>
</div>
</div>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>