Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

multiple internal views not working

2 views
Skip to first unread message

Paul Krash

unread,
Nov 2, 2009, 9:57:40 AM11/2/09
to bind-...@lists.isc.org
Morning!

I have been struggling with getting two internal views to work on three
BIND servers running on Ubuntu Linux 8.04.2 x64
( kernel 2.6.24-23-server ) for two straight working days
(OK, I have other projects too. :-)

Scope: present different CNAMES and A records to one subnet
(10.x.D.0/24) and another for all remaining (10.x.0.0/16)

This will allow my .5 subnet to automount NFS via UDP
without jiggering the network infrastructure (routers and switches).
NFS and NIS servers are homed on multiple networks
(.A.x/24, .B.x/24, .D.x/24)

Any suggestions or help would be greatly appreciated (virtual beer and
libations are on the way) in finding a working config example.

I have read the ARMs, searched Google and communities, no joy.

I apologize in advance if there is a well known fount of this knowledge,
you know how it is, being a sys/sec/net admin at a dynamically changing
technology company :-)

Best,

Paul Krash
Sys/Sec/Net Administrator
Exegy, Inc.
pkr...@exegy.com

This e-mail and any documents accompanying it may contain legally privileged and/or confidential information belonging to Exegy, Inc. Such information may be protected from disclosure by law. The information is intended for use by only the addressee. If you are not the intended recipient, you are hereby notified that any disclosure or use of the information is strictly prohibited. If you have received this e-mail in error, please immediately contact the sender by e-mail or phone regarding instructions for return or destruction and do not use or disclose the content to others.

Jeremy C. Reed

unread,
Nov 2, 2009, 10:09:50 AM11/2/09
to Paul Krash, bind-...@lists.isc.org
It may be useful for you to show us what you tried (configurations and
that it is restarted), how you tested, and any network traces and log
files showing that it is not working.

Krash, Paul

unread,
Nov 2, 2009, 10:59:06 AM11/2/09
to jr...@isc.org, bind-...@lists.isc.org

Agreed. Will do. As time permits today. Thank you for your help!
Paul Krash from mobile +01.314.283.4942

Kevin Darcy

unread,
Nov 2, 2009, 2:17:32 PM11/2/09
to bind-...@lists.isc.org
I you control all of the resolvers in this scenario, and the clients
aren't doing their own caching-and-reordering-of-responses, you might
consider using sortlists and round-robins instead of views. That would
get you out of having to maintain the same zones in parallel.

Note that if the clients are recent Wintel they *already* perform
sortlisting automatically, for addresses on their own subnets. It's
built into the network stack. http://support.microsoft.com/kb/182644/EN-US/

- Kevin

P.S. Why would the CNAMEs need to be differentiated? Surely only the A
records would vary, and the CNAMEs could stay the same (?)

Paul Krash wrote:
> Morning!
>
> I have been struggling with getting two internal views to work on
> three BIND servers running on Ubuntu Linux 8.04.2 x64
> ( kernel 2.6.24-23-server ) for two straight working days
> (OK, I have other projects too. :-)
>
> Scope: present different CNAMES and A records to one subnet
> (10.x.D.0/24) and another for all remaining (10.x.0.0/16)
>
> This will allow my .5 subnet to automount NFS via UDP
> without jiggering the network infrastructure (routers and switches).
> NFS and NIS servers are homed on multiple networks
> (.A.x/24, .B.x/24, .D.x/24)
>
> Any suggestions or help would be greatly appreciated (virtual beer and
> libations are on the way) in finding a working config example.
>
> I have read the ARMs, searched Google and communities, no joy.
>
> I apologize in advance if there is a well known fount of this knowledge,
> you know how it is, being a sys/sec/net admin at a dynamically
> changing technology company :-)
>
> Best,
>
> Paul Krash
> Sys/Sec/Net Administrator
> Exegy, Inc.
> pkr...@exegy.com
>

> This e-mail and any documents accompanying it may contain legally
> privileged and/or confidential information belonging to Exegy, Inc.
> Such information may be protected from disclosure by law. The
> information is intended for use by only the addressee. If you are not
> the intended recipient, you are hereby notified that any disclosure or
> use of the information is strictly prohibited. If you have received
> this e-mail in error, please immediately contact the sender by e-mail
> or phone regarding instructions for return or destruction and do not
> use or disclose the content to others.

> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>

Paul Krash

unread,
Nov 2, 2009, 3:43:26 PM11/2/09
to bind-...@lists.isc.org, Jeremy C. Reed
Jeremy C. Reed wrote:
> It may be useful for you to show us what you tried (configurations and
> that it is restarted), how you tested, and any network traces and log
> files showing that it is not working.

All, the 'dot5' view works great. The 'internal' view does not serve.
If I reverse the view order in named.local.conf, the first view gets
served, any views following do not.

I have incremented the files and restarted the daemon. No joy.

Thanks again!

PKrash

from the daemon.log :

Nov 2 14:38:25 bind named[22011]: client 10.x.5.25#45709: view dot5:
query: code.fckd.net IN A +
Nov 2 14:38:36 bind named[22011]: client 10.x.5.25#48023: view dot5:
query: home.fckd.net IN A +
Nov 2 14:39:38 bind named[22011]: client 10.x.4.123#54159: view
internal: query: code.fckd.net IN A +
Nov 2 14:39:38 bind named[22011]: client 10.x.4.123#36511: view
internal: query: code.fckd.net IN A +
Nov 2 14:39:38 bind named[22011]: client 10.x.4.123#37112: view
internal: query: code IN A +


named.local.conf :

________________________________________________________________________________________________________________
> root@bind:/etc/bind# cat named.conf.local
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> view dot5 {
> match-clients {
> 10.x.5.0/24;
> };
> zone "5.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.5.default.rev";
> };
> zone "eng.exegy.net" {
> type master;
> file "/etc/bind/fckd.net.default.dot5";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> };
>
> view internal {
>
> zone "eng.exegy.net" {
> type master;
> file "/etc/bind/fckd.net.default.hosts";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
>
>
> zone "0.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.0.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "1.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.1.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "2.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.2.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };ls -la
> };
> zone "3.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.3.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "4.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.4.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "6.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.6.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "7.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.7.default.rev";
> notify yes;
> also-notify {
> 10.x.1.32;
> };
> };
> zone "8.x.10.in-addr.arpa" {
> type master;
> file "/etc/bind/10.x.8.rev";
> };
> };


fckd.net.default.dot5 :
____________________________________________________________________________________________________________________

Jeremy C. Reed

unread,
Nov 2, 2009, 3:57:54 PM11/2/09
to Paul Krash, bind-...@lists.isc.org
On Mon, 2 Nov 2009, Paul Krash wrote:

> > view internal {
> >
> > zone "eng.exegy.net" {

Do you have anything to match here? By default, match-clients and
match-destinations default to matching all addresses (even not
"internal"). So when you reversed, the other view (dot5) would never
match and wouldn't work.

Kevin Darcy

unread,
Nov 2, 2009, 4:03:59 PM11/2/09
to bind-...@lists.isc.org
Confused. Looks like the clients are matching the correct view, but
"fckd.net" is not defined in either view, so what exactly was the point
of having views? fckd.net names are going to get resolved the same
regardless.

- Kevin

Paul Krash

unread,
Nov 2, 2009, 4:05:27 PM11/2/09
to Jeremy C. Reed, bind-...@lists.isc.org
Jeremy C. Reed wrote:
>
> Do you have anything to match here? By default, match-clients and
> match-destinations default to matching all addresses (even not
> "internal"). So when you reversed, the other view (dot5) would never
> match and wouldn't work.
>

Hey Mr. Reed!

Would this statement be enough for the second 'internal' view? :

match-clients {
!10.x.5.0/24;
};

Or, do I have to explicitly define a match for every subnet?

e.g.:

match-clients {
!10.x.5.0/24;
10.x.1.0/24;
10.x.2.0/24;
10.x.3.0/24;
10.x.4.0/24;
10.x.6.0/24;
10.x.7.0/24;
10.x.8.0/24;
};

Best,

PKrash

Barry Margolin

unread,
Nov 2, 2009, 9:36:34 PM11/2/09
to comp-protoc...@isc.org
In article <mailman.858.1257173...@lists.isc.org>,
"Paul Krash" <pkr...@exegy.com> wrote:

> Morning!
>
> I have been struggling with getting two internal views to work on three
> BIND servers running on Ubuntu Linux 8.04.2 x64
> ( kernel 2.6.24-23-server ) for two straight working days
> (OK, I have other projects too. :-)
>
> Scope: present different CNAMES and A records to one subnet
> (10.x.D.0/24) and another for all remaining (10.x.0.0/16)
>
> This will allow my .5 subnet to automount NFS via UDP
> without jiggering the network infrastructure (routers and switches).
> NFS and NIS servers are homed on multiple networks
> (.A.x/24, .B.x/24, .D.x/24)
>
> Any suggestions or help would be greatly appreciated (virtual beer and
> libations are on the way) in finding a working config example.
>
> I have read the ARMs, searched Google and communities, no joy.
>
> I apologize in advance if there is a well known fount of this knowledge,
> you know how it is, being a sys/sec/net admin at a dynamically changing
> technology company :-)

Make sure you have the views in the appropriate order. Views are
checked in the order they appear in the named.conf file, not order of
specificity. So you need to have the /24 view before the /16 view.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

0 new messages