On 05/09/2017 03:15 AM, Tony Finch wrote:
The classic solution is to make one view a slave of the other. Configure
the slave zone with `masters { localhost key my-tsig; };` and configure
the master view with `match-clients { key my-tsig; };`.
OK, I think I've got this nailed down. I had to move the "public" view
so that it was listed first in named.conf. That view previously had no
match-client setting, but now is set to "match-clients { key tsig-key;
!localhost; 0.0.0.0/0; };" so that it allows access with the key but
does not match localhost otherwise (which would result in refusing
recursion) but does include the rest of the IPv4 space. The zone in the
"local" view is now a slave with "masters { 127.0.0.1 key tsig-key; };"
Seems to work. Localhost can look up records in the zone as well as
external records. External hosts can get records from the zone, but
can't make recursive requests.
I'm happy that it's working, but it seems like it was fairly difficult
to get right. Am I doing an unusual thing? Is it considered
best-practice (or just normal) for authoritative servers to just not use
the local server for resolution?
Thanks for your help!
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
