Re: One zone in 2 views
On 27/09/13 03:02, Evan Hunt wrote:
> On Thu, Sep 26, 2013 at 06:37:30PM +1200, Michael Ludvig wrote:
>> 1) If I have different example.com in internal and external view on ns1
>> (master) can I mirror them both to ns2's internal and external views?
>> Right now I can only do the internal and have no idea how to mirror the
>> external to ns2. Is it possible at all?
> Yes. You set up a TSIG key for the purpose, and configure ns1 like this:
>
>view internal {
>match-clients { !key ext-key; localhost; localnets; };
>...
>};
>
>view external {
>match-clients { any; };
>};
> [...]
Excellent, thanks! This also solves my other problem - we update our
internal zones using a DDNS script (https://github.com/mludvig/ddns-cli)
but I had no idea how to update our external zones. Now I know - simply
use a different key! So obvious ;)
Thanks again
Michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Synthesized CNAME from NXDOMAIN
In article , Casey Deccio wrote: > On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters wrote: > > > You are why we can't have nice things :P > > > > We had enough Sitewinders. With DNSSEC on the endnode, your lies won't > > be believed anway. What you are trying is wrong, bad and broken. > > > > > This might be a fair statement in the right context. But it was taken out > of context--because I really didn't provide any. Not that I need to > justify my question, but since you brought it up, what I am looking to do > is decrease the risk of DNS resolution failures resulting from a namespace > transition by creating a fallback from the old to the new namespace. For > some definite period of time after the change, an NXDOMAIN in the old > namespace would result in a synthesized CNAME pointing to the same name in > the new namespace. Anyway, there might not be an easy way to to do it, and > we might just have to lose our safety net, but I wanted to ask users on the > list if there's some obscure configuration that might be helpful. Isn't this what DNAME is for? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view
Thanks
On 10/03/2013 11:39 PM, Steven Carr wrote:
So the reason it's failing is because you don't have a view configured
for the zones contained in /etc/bind/named.conf.default-
zones. If you implement views then all zones must be added to a view.
Edit the /etc/bind/named.conf.default-zones file and insert in the
view statements e.g.
view "internal" {
at the top of the file and an extra closing bracket at the bottom
};
Steve
On 3 October 2013 22:06, Paweł Ch. wrote:
When I copy named.conf.default-zones inside "dmz" view in named.conf.local
then named started but is problem with requested other zone than
authoritative for this server:
Served by:
- M.ROOT-SERVERS.NET
- A.ROOT-SERVERS.NET
.
.
it is ok?
My conf file are:
# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
--
# cat named.conf.options
acl dmz { 10.0.0.0/24; };
options {
allow-query { any; };
allow-query-cache { any; };
directory "/var/cache/bind";
notify no;
recursion no;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no;# conform to RFC1035
listen-on-v6 { any; };
rrset-order {
class IN type A name "a" order fixed;
class IN type A name "a" order fixed;
class IN type A name "a" order fixed;
class IN type A name "a" order fixed;
};
};
logging {
channel update_debug {
file "/var/log/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/security_info.log" versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category lame-servers { null; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
};
--
# cat named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
view "dmz" {
zone "a"
{
type master;
file "/etc/bind/db.a";
allow-query { any; };
allow-transfer { a.a.a.a; a.a.a.a; };
};
.
.
output ommited
.
.
zone "a"
{
type master;
file "/etc/bind/db.a";
allow-query { any; };
allow-transfer { a.a.a.a; a.a.a.a; };
};
};
--
# cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
On 3 October 2013 19:55, Steven Carr wrote:
Please post your full named.conf config file (you can obfuscate any
sensitive information).
Steve
On 3 October 2013 18:53, Paweł Ch. wrote:
Hi list
I have problem with views in bind9 on debian 6. I configured server like
here https://wiki.debian.org/Bind9 and it works. Wh
Re: moving DNSSEC to a hidden master
On 10/3/13 5:27 PM, Sten Carlsen wrote: > This works for me and is the standard method: > > rndc freeze > update serial > rndc thaw Bingo. Thanks! dn > > Rndc freeze merges the .jnl files into the zone files and stops dynamic > updates. Thaw allows dynamic updates to resume. > > On 04/10/13 02.12, David Newman wrote: >> Thanks all for your responses. >> >> On 10/1/13 6:42 PM, Mark Andrews wrote: >>> As Alan said copy the .key and .private files over. >>> >>> Disable updating on the old master. >>> >>> Transfer the zone contents by setting up as a slave >>> using "masterfile-format text"; or using by using dig. >>> This will give you the most up to date version of the >>> zone. >>> >>> dig axfr zone +onesoa @oldmaster >>> >>> Check that the new server is working >> Converting the new secondary to a new master worked. But incrementing >> the zone's serial number did not, producing an error after 'rndc reload' >> like this: >> >> Oct 3 16:00:29 host named[35249]: malformed transaction: >> dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 != >> transaction first serial 2013092700 >> >>> and you can update >>> the zone by using nsupdate. >> Although the zone file lives under dynamic/mydomain.com so DNSSEC >> updates can happen, I don't have dynamic updates configured, so nsupdate >> won't work. This arrangement -- with static zone files under the dynamic >> directory -- worked OK on the old master. Permissions are the same on both. >> >> This thread suggested the journal issue was separate views pointing to >> the same zone file: >> >> https://lists.isc.org/pipermail/bind-users/2008-June/070807.html >> >> Indeed I had pointers to the same zone file in separate views, but >> removing them and restarting named did not clear the issue. Now I have >> the zone in just one view, and still can't manually increment the serial >> number without that journal complaint. >> >> Thanks in advance for clues on resolving the journal version issue. >> >> dn >> >>> Convert the old master server into a slave. >>> >>> Update the other slaves to talk to a new master. >>> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Best regards > > Sten Carlsen > > No improvements come from shouting: > >"MALE BOVINE MANURE!!!" > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: weird perfmonce BIND version 9.6
On 03.10.13 16:42, IT Support wrote: Hi Mathus one thing more. I´m little bit lost in bind9. Can you tell me which one those files where is defined the internal o external host? no. I would need to see those files to tell you where it is. Simply check your named.copnf and resursively all includes (I recommend you not goind more than one level of inclusion) were are the view definitions. you said Check their match-* directives, post them here if possible. check all used files and view definitions for "match-" directives. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
