On Dec 3, 10:00 pm, Kevin Darcy <[EMAIL PROTECTED]> wrote:
> will wrote:
> > For bureaucratic reasons I can not multi-home the slave name server;
> > however, I can multi-home the master name server.
>
> > I understand from reading the 'DNS for Rocket Scientist' that when
> > using a 'view' statement to setup a split DNS to control visibility
> > that the slave servers for each zone will be resolved in the context
> > of the first view that it matches, based on its IP address. However,
> > if I multi-home or 'alias' the IP address on the 'slave' NS we can get
> > the multiple views of the same zone.
>
> > Will the logic still work no matter if the destination or source ip
> > addresses differ?
>
> > Can we multi-home the master name server instead, and the slaves still
> > get the multiple views (as long as the 'notify-source' is a different
> > ip address)?
>
> As per the ARM, one can select views based on
> a) source address ("match-clients" with address parameter(s)), and/or
> b) destination address ("match-destinations" with address parameter(s)),
> and/or
> c) TSIG key ("match-clients" or "match-destinations" with key
> parameter(s)), and/or
> d) the setting of the RD (Recursion Desired) bit on the request
> ("match-recursive-only")
>
> Since apparently you can't vary the source address of the slave's
> requests, and RD is irrelevant for zone transfers -- it's always off --
> it seems that (b) and/or (c) are your remaining options.
>
> Note that selecting views via TSIG keys also has the additional benefits of
> (1) protecting against most forms of address spoofing, and
> (2) greater flexibility in re-addressing nameservers
>
> The main downside is that TSIG requires some extra up-front
> configuration, to generate and install the keys.
>
> - Kevin
>
> _______________________________________________
> bind-users mailing list
> [EMAIL PROTECTED]://lists.isc.org/mailman/listinfo/bind-usersExcellent, many thanks Kevin. The 'view' statement used with the TSIG clause and key parameters to implement the split DNS zone is a solution. ~Will~ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
