define domain both for internal and external zones?
Gerry Reno
I just setup bind 9.4.2 on F7 and created these views:
external; internal; localhost_resolver;
In both the external and internal views I created these zones:
example.com
In the internal version of example.com I mapped all the hosts and
service names to lan ips.
In the external version of example.com I mapped publicly available
hosts and services to public ips.
My problem is that when my slave transfers the zones the external
example.com zone
is coming over with the correct names but they are mapped to internal
lan ips instead of the public ips that I listed in the zone!
So my questions are these: Is it not possible to have an internal and
external version of example.com?
If it is then is there something special that needs to be done for
this scenario?
thx,
Gerry
Mark Andrews
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Barry Margolin
wrote:
> Hi all,
> I just setup bind 9.4.2 on F7 and created these views:
> external; internal; localhost_resolver;
>
> In both the external and internal views I created these zones:
> example.com
>
> In the internal version of example.com I mapped all the hosts and
> service names to lan ips.
> In the external version of example.com I mapped publicly available
> hosts and services to public ips.
>
> My problem is that when my slave transfers the zones the external
> example.com zone
> is coming over with the correct names but they are mapped to internal
> lan ips instead of the public ips that I listed in the zone!
I suspect this is being done by your firewall, not BIND.
>
> So my questions are these: Is it not possible to have an internal and
> external version of example.com?
> If it is then is there something special that needs to be done for
> this scenario?
If your firewall is a PIX, I think there's something like fixup_dns that
can be disabled. You don't need this on the firewall if the nameserver
uses views.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
Gerry Reno
> Please read the FAQ.
>
>
Yes, the part about the multiple ip addresses? Or was there something else?
Gerry
Gerry Reno
Gerry
Mark Andrews
> Mark Andrews wrote:
> > Please read the FAQ.
> >
> >
> Yes, the part about the multiple ip addresses? Or was there something else?
>
> Gerry
That or using tsig. If you are gtting the wrong addresses you
are transfering from the wrong view.
Mark
Gerry Reno
> That or using tsig. If you are gtting the wrong addresses you
> are transfering from the wrong view.
>
> Mark
>
Ok, I used TSIG and both servers start fine but I see this in the slave log:
Apr 6 03:29:42 grp-01-30-51 named[9054]: zone example.com/IN/external:
refresh: failure trying master 192.168.1.200#53 (source 0.0.0.0#53):
tsig indicates error
Apr 6 03:29:43 grp-01-30-51 named[9054]: zone
external.zone/IN/external: refresh: failure trying master
192.168.1.200#53 (source 0.0.0.0#53): tsig indicates error
I've tried removing these slave files altogether but this didn't help.
I've checked the keys, the keyfile perms. Everything looks ok.
????
Gerry
Gerry Reno
> Ok, I used TSIG and both servers start fine but I see this in the slave log:
> Apr 6 03:29:42 grp-01-30-51 named[9054]: zone example.com/IN/external:
> refresh: failure trying master 192.168.1.200#53 (source 0.0.0.0#53):
> tsig indicates error
> Apr 6 03:29:43 grp-01-30-51 named[9054]: zone
> external.zone/IN/external: refresh: failure trying master
> 192.168.1.200#53 (source 0.0.0.0#53): tsig indicates error
>
> I've tried removing these slave files altogether but this didn't help.
> I've checked the keys, the keyfile perms. Everything looks ok.
>
> ????
>
> Gerry
>
I have tried moving the keys into the views - same result.
I made sure that my double quotes are exactly like faq.
I have diff'd the keys. All instances of key name were cut and paste
from gen'd key in file.
I copied the keys over using scp. Permissions are the same as other files.
What more can I do here?
It doesn't like the key, but why?
Gerry
Gerry Reno
> Following up here.
>
> I have tried moving the keys into the views - same result.
> I made sure that my double quotes are exactly like faq.
> I have diff'd the keys. All instances of key name were cut and paste
> from gen'd key in file.
> I copied the keys over using scp. Permissions are the same as other files.
>
> What more can I do here?
> It doesn't like the key, but why?
>
> Gerry
>
and are within 1 sec.
I even tried gen'ing the keys separately on both servers and using those
keys. Still same problem.
Gerry
Gerry Reno
MASTER SERVER:
============================================================
Apr 6 13:03:46 grp-01-30-50 named[31966]: starting BIND 9.4.2 -u named
-t /var/named/chroot
Apr 6 13:03:46 grp-01-30-50 named[31966]: found 1 CPU, using 1 worker
thread
Apr 6 13:03:46 grp-01-30-50 named[31966]: loading configuration from
'/etc/named.conf'
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
lo, 127.0.0.1#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
lo:0, 192.168.1.240#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: listening on IPv4 interface
eth0, 192.168.1.200#53
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 127.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 254.169.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 2.0.192.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: D.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 8.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: 9.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: A.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
internal: B.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 127.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 254.169.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 2.0.192.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: D.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 8.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: 9.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: A.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: automatic empty zone: view
localhost_resolver: B.E.F.IP6.ARPA
Apr 6 13:03:46 grp-01-30-50 named[31966]: command channel listening on
127.0.0.1#953
Apr 6 13:03:46 grp-01-30-50 named[31966]: command channel listening on
::1#953
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/external:
loaded serial 4
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.external.zone/IN/external: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/internal:
loaded serial 3
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone gar-lan/IN/internal:
loaded serial 6
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.ddns.internal.zone/IN/internal: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
grp.internal.zone/IN/internal: loaded serial 2
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
255.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver:
loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
localdomain/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone
localhost/IN/localhost_resolver: loaded serial 42
Apr 6 13:03:46 grp-01-30-50 named[31966]: running
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/external:
sending notifies (serial 4)
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone example.com/IN/internal:
sending notifies (serial 3)
Apr 6 13:03:46 grp-01-30-50 named[31966]: zone gar-lan/IN/internal:
sending notifies (serial 6)
Apr 6 13:03:46 grp-01-30-50 named[31966]: client 192.168.1.1#53: view
internal: received notify for zone 'example.com'
Apr 6 13:03:47 grp-01-30-50 named[31966]: zone
grp.slave.internal.zone/IN/internal: refresh: unexpected rcode
(SERVFAIL) from master 192.168.1.201#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-50 named[31966]: client 192.168.1.201#53: view
internal: request has invalid signature: TSIG ns1-ns2.example.com: tsig
verify failure (BADSIG)
============================================================
SLAVE SERVER:
============================================================
Apr 6 13:04:00 grp-01-30-51 named[24014]: starting BIND 9.4.2 -u named
-t /var/named/chroot
Apr 6 13:04:00 grp-01-30-51 named[24014]: found 1 CPU, using 1 worker
thread
Apr 6 13:04:00 grp-01-30-51 named[24014]: loading configuration from
'/etc/named.conf'
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
lo, 127.0.0.1#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
lo:0, 192.168.1.240#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: listening on IPv4 interface
eth0, 192.168.1.201#53
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 127.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 254.169.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 2.0.192.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: D.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 8.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: 9.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: A.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
internal: B.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 127.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 254.169.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 2.0.192.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 255.255.255.255.IN-ADDR.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: D.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 8.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: 9.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: A.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: automatic empty zone: view
localhost_resolver: B.E.F.IP6.ARPA
Apr 6 13:04:00 grp-01-30-51 named[24014]: command channel listening on
127.0.0.1#953
Apr 6 13:04:00 grp-01-30-51 named[24014]: command channel listening on
::1#953
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/external:
loaded serial 2 <=== on master this file is at serial 4, so it is not
transferring ????
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/internal:
loaded serial 3
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone gar-lan/IN/internal:
loaded serial 6
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.ddns.internal.zone/IN/internal: loaded serial 2
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.internal.zone/IN/internal: loaded serial 2
Apr 6 13:04:00 grp-01-30-51 named[24014]: running
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone example.com/IN/internal:
sending notifies (serial 3)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone gar-lan/IN/internal:
sending notifies (serial 6)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.external.zone/IN/external: refresh: failure trying master
192.168.1.200#53 (source 0.0.0.0#53): tsig indicates error <=== TSIG
ERROR
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
localdomain/IN/localhost_resolver: refresh: non-authoritative answer
from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.in-addr.arpa/IN/localhost_resolver: refresh: non-authoritative answer
from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.0.127.in-addr.arpa/IN/localhost_resolver: refresh: unexpected rcode
(NXDOMAIN) from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
255.in-addr.arpa/IN/localhost_resolver: refresh: non-authoritative
answer from master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
localhost/IN/localhost_resolver: refresh: non-authoritative answer from
master 192.168.1.200#53 (source 0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver:
refresh: non-authoritative answer from master 192.168.1.200#53 (source
0.0.0.0#53)
Apr 6 13:04:00 grp-01-30-51 named[24014]: zone
grp.slave.internal.zone/IN/internal: refresh: unexpected rcode
(SERVFAIL) from master 192.168.1.200#53 (source 0.0.0.0#53)
============================================================
I can see that named thinks the sig is bad but I have gen'd and re-gen'd
these keys without success
Here are the sections from named.conf:
MASTER SERVER:
============================================================
// Red Hat BIND Configuration Tool
//
// MASTER NAMESERVER
key "ns1-ns2.example.com." {
algorithm hmac-md5;
secret dnssec-keygendsecret;
};
acl external_slaves {
};
acl internal_slaves {
192.168.1.201;
};
acl gar-lan {
127.0.0.0/8;
192.168.2.0/24;
};
acl grp-lan {
127.0.0.0/8;
192.168.1.0/24;
};
...
view "external" {
match-clients {
key ns1-ns2.example.com.;
! grp-lan;
! gar-lan;
};
recursion no;
// we sign requests sent to these servers
server 192.168.1.201 {
keys { ns1-ns2.example.com.; };
};
zone "example.com." IN {
type master;
file "external_example.com.db";
allow-transfer { internal_slaves; external_slaves; };
};
...
};
view "internal" {
match-destinations {
grp-lan;
gar-lan;
};
match-clients {
!key ns1-ns2.example.com.;
grp-lan;
gar-lan;
};
recursion yes;
zone "example.com." IN {
type master;
file "internal_example.com.db";
allow-transfer { internal_slaves; };
};
...
};
view "localhost_resolver" {
match-clients {
localhost;
};
match-destinations {
localhost;
};
recursion yes;
...
};
include "/etc/rndc.key";
============================================================
SLAVE SERVER:
============================================================
// Red Hat BIND Configuration Tool
//
// SLAVE NAMESERVER
key "ns1-ns2.example.com." {
algorithm hmac-md5;
secret dnssec-keygendsecret;
};
...
view "external" {
match-clients {
key ns1-ns2.example.com.;
! grp-lan;
! gar-lan;
};
recursion no;
// we sign requests sent to these servers
server 192.168.1.200 {
keys { ns1-ns2.example.com.; };
};
zone "example.com." IN {
type slave;
file "slaves/external_example.com.db";
allow-transfer { internal_slaves; external_slaves; };
masters { 192.168.1.200; };
...
};
view "internal" {
match-clients {
!key ns1-ns2.example.com.;
grp-lan;
gar-lan;
};
recursion yes;
zone "example.com." IN {
type slave;
file "slaves/internal_example.com.db";
allow-transfer { internal_slaves; };
masters { 192.168.1.200; };
};
...
};
view "localhost_resolver" {
match-clients {
localhost;
};
recursion yes;
...
};
include "/etc/rndc.key";
============================================================
Gerry
Gerry Reno
So what was the problem? Well, I'm not exactly certain. But what I did
was to remove all traces of keys everywhere.
I regen'd the key being very careful to make sure the key ended in a <dot>.
I followed the example in the FAQ as far as what does and does not get
double-quoted and made sure that all references to the key name
also ended in a <dot> just as it did for dnssec-keygen.
So now back to some of the original issues:
I have two zones in the 'external' view now controlled by TSIG. When I
change these on the master and update their serials they do not transfer
to the slave.
Any of the 'internal' view zones will transfer just fine when I update them.
I restarted both servers and still no transfer on the external zones. I
even commented out the 'allow-update' restrictions and still no transfer.
The slave log shows refresh lines for all the 'internal' zones but
nothing for any of the 'external' zones.
Since 'external' zones are under TSIG now, is there something else
required to get them to transfer?
Gerry
Mark Andrews
> Apr 6 13:03:47 grp-01-30-50 named[31966]: zone
> grp.slave.internal.zone/IN/internal: refresh: unexpected rcode
> (SERVFAIL) from master 192.168.1.201#53 (source 0.0.0.0#53)
Is the zone REALLY called "grp.slave.internal.zone" or
is that the file name?
If you want help send the real named.conf undoctored.
Also send the log messages undoctored.
How do you expect anyone to find your configuration errors
if they can't see the configuration?
Gerry Reno
took precedence. Anyway, I got everything working yesterday after I cleared
out a bunch of old experiment zones, including the one you pointed out.
TSIG is working great and internal and external views are updating
correctly now.
Now I'm just reading up on security.
Gerry