[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bind, multiple views, slaves and ip alias
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: bind, multiple views, slaves and ip alias
- From: James Strandboge <jamie_(_at_)_strandboge_(_dot_)_com>
- Date: Fri, 11 Feb 2005 23:04:00 -0500
According to the bind9 FAQ, if I am using multiple views, I need to set
up ip aliasing to have a slave get updates from both views on the
master.
In my test environment, I have setup the master (OpenBSD 3.5) and the
slave (OpenBSD 3.6) with this in mind (and disabled pf), but only the
external (authoritative) view is getting updated. tcpdump also shows
that the slave is sending all its packets out of the same interface.
master ip: 192.168.5.2
master alias: 192.168.5.3
slave ip: 192.168.5.4
slave alias: 192.168.5.5
Here is the relevant section of the master:
acl clients {
192.168.1.0/24;
192.168.5.0/24;
localnets;
::1;
};
...
view "internal" { // internal view
//match-clients { clients; };
match-clients { !192.168.5.3; !192.168.5.5; clients; };
match-recursive-only yes;
// send internal zone transfers through this ip
notify-source 192.168.5.2;
transfer-source 192.168.5.2;
query-source address 192.168.5.2;
...
// add entries for other zones below here
zone "example.com" { // internal forward zone
type master;
file "master/db.example.com-internal";
// internal slave
notify yes;
allow-transfer { 192.168.5.4; };
allow-update { none; };
};
zone "168.192.in-addr.arpa" { // internal reverse zone
type master;
file "master/db.168.192.rev";
// internal slave
notify yes;
allow-transfer { 192.168.5.4; };
allow-update { none; };
};
};
view "authoritative" { // external view
recursion no;
additional-from-auth no;
additional-from-cache no;
match-clients { any; };
// external zone transfers through this ip
notify-source 192.168.5.3;
transfer-source 192.168.5.3;
query-source address 192.168.5.3;
zone "example.com" { // external forward zone
type master;
file "master/db.example.com-external";
// external slave
notify yes;
allow-transfer { 192.168.5.5; };
allow-update { none; };
};
// reverse
zone "74.37.65.in-addr.arpa" { // external reverse zone
type master;
file "master/db.74.37.65.rev";
// external slave
notify yes;
allow-transfer { 192.168.5.5; };
allow-update { none; };
};
}; // end external view
and here is the relevent section of the slave:
acl clients {
192.168.1.0/24;
192.168.5.0/24;
localnets;
::1;
};
...
view "internal" { // internal view
match-clients { !192.168.5.3; !192.168.5.5; clients; };
match-recursive-only yes;
notify-source 192.168.5.4;
transfer-source 192.168.5.4;
query-source address 192.168.5.4;
...
zone "example.com" {
type slave;
file "slave/db.example.com-internal";
masters { 192.168.5.2; };
};
zone "168.192.in-addr.arpa" { // internal reverse zone
type slave;
file "slave/db.168.192.rev";
masters { 192.168.5.2; };
};
};
view "authoritative" { // external view
recursion no;
additional-from-auth no;
additional-from-cache no;
match-clients { any; };
// external zone transfers through this ip
notify-source 192.168.5.5;
transfer-source 192.168.5.5;
query-source address 192.168.5.5;
zone "example.com" { // external forward zone
type slave;
file "slave/db.example.com-external";
masters { 192.168.5.3; };
};
// reverse
zone "74.37.65.in-addr.arpa" { // external reverse zone
type slave;
file "slave/db.74.37.65.rev";
masters { 192.168.5.3; };
};
}; // end external view
And 'tcpdump -n -i xl0 port 53' on master after sending HUP on the
slave:
22:45:47.198888 192.168.5.4.18946 > 192.168.5.2.53: 57948 SOA? example.com. (33)
22:45:47.199486 192.168.5.2.53 > 192.168.5.4.18946: 57948*- 1/1/1 SOA[|domain]
22:45:47.200001 192.168.5.4.21520 > 192.168.5.2.53: S 3246421156:3246421156(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 55329565 0>
22:45:47.200034 192.168.5.2.53 > 192.168.5.4.21520: S 4149297724:4149297724(0) ack 3246421157 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 540378408 55329565>
22:45:47.200131 192.168.5.4.21520 > 192.168.5.2.53: . ack 1 win 16384 <nop,nop,timestamp 55329565 540378408>
22:45:47.200180 192.168.5.4.21520 > 192.168.5.2.53: P 1:3(2) ack 1 win 16384 <nop,nop,timestamp 55329565 540378408>
22:45:47.399251 192.168.5.2.53 > 192.168.5.4.21520: . ack 3 win 17376 <nop,nop,timestamp 540378409 55329565>
22:45:47.399462 192.168.5.4.21520 > 192.168.5.2.53: P 3:36(33) ack 1 win 16384 <nop,nop,timestamp 55329566 540378409>
22:45:47.405189 192.168.5.2.53 > 192.168.5.4.21520: P 1:36(35) ack 36 win 17376 <nop,nop,timestamp 540378409 55329566>
22:45:47.405545 192.168.5.4.21520 > 192.168.5.2.53: F 36:36(0) ack 36 win 16384 <nop,nop,timestamp 55329566 540378409>
22:45:47.405599 192.168.5.2.53 > 192.168.5.4.21520: . ack 37 win 17376 <nop,nop,timestamp 540378409 55329566>
22:45:47.405665 192.168.5.2.53 > 192.168.5.4.21520: F 36:36(0) ack 37 win 17376 <nop,nop,timestamp 540378409 55329566>
22:45:47.405829 192.168.5.4.21520 > 192.168.5.2.53: . ack 37 win 16384 <nop,nop,timestamp 55329566 540378409>
22:45:47.707672 192.168.5.4.18946 > 192.168.5.2.53: 42373 SOA? 168.192.in-addr.arpa. (38)
22:45:47.708012 192.168.5.4.18946 > 192.168.5.2.53: 35964 SOA? 0.0.10.in-addr.arpa. (37)
22:45:47.708131 192.168.5.2.53 > 192.168.5.4.18946: 42373 Refused- 0/0/0 (38)
22:45:47.708189 192.168.5.2.53 > 192.168.5.4.18946: 35964 Refused- 0/0/0 (37)
22:45:47.708375 192.168.5.4.18946 > 192.168.5.2.53: 47431 SOA? sub.example.com. (37)
22:45:47.708496 192.168.5.2.53 > 192.168.5.4.18946: 47431 NXDomain*- 0/1/0 (88)
I *thought* I set up everything right, but bind just isn't sending
anything through the ip aliases I set up. I am just doing something
stupid?
Thanks,
Jamie
Visit your host, monkey.org