Re: Shared dynamic zone on external view?

Thu, 08 Nov 2012 04:21:44 -0800 

On Thu, Nov 08, 2012 at 09:23:05AM +1100, Mark Andrews wrote:
> In message <509a8796.7060...@nryc.fr>, "Nicolas C." writes:
> > I have a dynamic zone on an external view, this zone is updated 
> > with a TSIG key from outside of our network. There is a secondary 
> > DNS server, also outside our network on which zones transfers are 
> > working fine with no key.
> > 
> > We would like to make one of our internal DNS secondary for this 
> > zone and we have the "dynamic zone shared between views" problem. 
> > I tried to follow the FAQ but no luck so far.
> > 
> > I'm not sure that what I'm trying to do is possible, can someone 
> > confirm this?
> > 
> > Should I follow the FAQ and make my dynamic zone "master" on the 
> > "internal" view? That makes less sense to us because this are 
> > public zones, updated from the outsite.
> > 
> > This is my configuration :
> > 
> > view "internal" {
> >    match-clients {
> > 
> >      !key external;
> >      key shared;
> > 
> >      <IPv4/IPv6 ranges including IPv4-of-my-DNS>
> >    };
> > 
> >    zone "<my_zone>" {
> >      type slave;
> >      file "db.shared-int";
> >      masters { IPv4-of-my-DNS; };
> 
> You need to force the internal zone to talk to the external zone.
> 
>       masters { IPv4-of-my-DNS key external; };

Should not the master also have an "also-notify" to notify the 
internal zone as well? Or the zone might contain a bogus internal- 
only NS host, but that would seem less appropriate. If the notify 
received is only for the external view, the internal view will only 
update on elapsed SOA expire time.

> >      transfer-source IPv4-of-my-DNS;
> >    };
> > };
> > 
> > view "external" {
> > 
> >    match-clients { !key shared; any };
> >    allow-transfer { IPv4-of-my-DNS; };
> >    server IPv4-of-my-DNS; { keys { shared; }; };
> > 
> >    zone "<my_zone>" {
> >      type master;
> >      file "db.shared-ext";
> >      notify yes;
> >      also-notify { IPv4-of-my-DNS; };
> > 
> >      update-policy {
> >        grant another-key subdomain <my_zone> ANY;
> >        grant princi...@rea.lm subdomain <my_zone> ANY;
> >      };
> > };
> > 
> > When I reload the configuration or try to initiate a zone 
> > transfer with dig and the "shared" key, I have this message
> > in the logs.
> > 
> > zone <my_zone>/IN/internal: refresh: unexpected rcode (SERVFAIL)
> > from master IPv4-of-my-DNS#53 (source IPv4-of-my-DNS#0)
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to