will wrote:
For bureaucratic reasons I can not multi-home the slave name server;
however, I can multi-home the master name server.
I understand from reading the 'DNS for Rocket Scientist' that when
using a 'view' statement to setup a split DNS to control visibility
that the slave servers for each zone will be resolved in the context
of the first view that it matches, based on its IP address. However,
if I multi-home or 'alias' the IP address on the 'slave' NS we can get
the multiple views of the same zone.
Will the logic still work no matter if the destination or source ip
addresses differ?
Can we multi-home the master name server instead, and the slaves still
get the multiple views (as long as the 'notify-source' is a different
ip address)?
As per the ARM, one can select views based on
a) source address ("match-clients" with address parameter(s)), and/or
b) destination address ("match-destinations" with address parameter(s)),
and/or
c) TSIG key ("match-clients" or "match-destinations" with key
parameter(s)), and/or
d) the setting of the RD (Recursion Desired) bit on the request
("match-recursive-only")
Since apparently you can't vary the source address of the slave's
requests, and RD is irrelevant for zone transfers -- it's always off --
it seems that (b) and/or (c) are your remaining options.
Note that selecting views via TSIG keys also has the additional benefits of
(1) protecting against most forms of address spoofing, and
(2) greater flexibility in re-addressing nameservers
The main downside is that TSIG requires some extra up-front
configuration, to generate and install the keys.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
