How to do a zone transfer with dig when using bind views

binddigdomain-name-system

I have a bind cluster with private/public records stored in (2) views and configured with TSIG. Standard slave operation works but I'd like to use dig to transfer the zones for troubleshooting/testing.

Typically I'd use dig example.com @ns1.example.com -y tsig-key:SECRETCODE however this is denied as the key is only assigned to the view public.

Reproduce:
Attempt a dig axfr from a client in the internal view.

Transfer Fails:

dig AXFR example.com -y external:xxxxxxxx

Transfer Succeeds

dig AXFR example.com -y internal:xxxxxxxx

Best Answer

Simply set up an additional key for the internal view and configure bind to allow the key to act as a selector for a specific view:

key "external" {
  algorithm hmac-md5;
  secret "xxxxxxxx";
};
key "internal" {
  algorithm hmac-md5;
  secret "yyyyyyyy";
};
view "internal" {
  match-clients { key internal; 10.0.1/24; };
  server 10.0.1.1 {
    /* Deliver notify messages to external view. */
    keys { external; };
  };
  zone "example.com" {
    type master;
    file "internal/example.db";
    ...
  };
};
view "external" {
  match-clients { key external; any; };
  zone "example.com" {
    type master;
    file "external/example.db";
    ...
  };
};

Related Solutions

Linux – BIND9 recursion on slave servers for a delegated zone – not working

Of course you need to specify the delegated zone in named.conf, otherwise bind will think it is just a dotted record it should have, since it is authoritative for the pr.example.com zone.

What you want is something like this. In the master named.conf you specify a new zone (and accordingly a new zone in the slaves):

zone "delegated.pr.example.com." { type master; file [db.filename]; };

and the zone file should be:

delegated.pr.example.com. NS nsdelegated.pr.example.com. 
nsdelegated.pr.example.com. IN A 10.11.0.5 ; glue record

Now the main DNS server and its slaves know about the new zone and things should work.

==== EDIT

Mistake, the SOA record is not in ps.example.com but it is in the zone definition of delegated.pr.example.com. Fixed that.

Bind master/slave, with public and local views, after sync slaves share private on public

Assuming your address match lists are correct I would bet that your slaves are seeing the "local" view by default (the IP they use to query the master matches the "local" view's criteria), so when a zone change happens and they synchronize they pull the "inside" zone and serve it to the outside world.
If I'm right the pri/open-exodus.net.global.fw on your slaves will have "local" data in it.

Your best bet to fix this is to use the query-source directive in the views on your slaves to ensure that when they fetch zones they use an IP that will see the appropriate view...

Best Answer

Related Solutions

Linux – BIND9 recursion on slave servers for a delegated zone – not working

Bind master/slave, with public and local views, after sync slaves share private on public

Related Topic