Bind 9.1.3 Transfers and Views

[Peter Erickson]

I am having trouble getting my slave to tranfer the zones correctly
from the master. I have 2 nameservers configured with views and lie
behind a firewall with NAT enabled. One of the views is for machines
behind the firewall (internal netork) and the other view is for
machines from the Internet. The problem that I am running into is that
my slave is requesting the zones transfers from the master and its
not getting the correct zone for the outside world view. The slave is
getting the interal representation instead of the external
representation. I only have these 2 machines at my disposal, so I
would really like to figure out a way to get this to work. Does anyone
have any ideas how to get this to work with these 2 machines? The
condensed version of my configuration files are listed below. Zones
such as the loopback and hints are left out. Any help is greatly
appreciated. Thanks in advance.

Master Server:

view "internal" {
match-clients{ 10.0.1/24; };
allow-transfer{ 10.0.1.2; };
recursion yes;

zone "domain.com" in {
type master;
file "zones/db.domain.com-internal";
}

zone "1.0.10.in-addr.arpa" in {
type master;
file "zones/db.10.0.1";
};

view "external" {
match-clients{ any; };
allow-transfer{ 10.0.1.2; };
recursion no;

zone "domain.com" in {
type master;
file "zones/db.domain.com-ext"
};

zone "y.x.w.in-addr.arpa" in {
type master;
file "zones/db.w.x.y";
};
};

Slave Server:

view "internal" {
match-clients{ 10.0.1/24; };
recursion yes;

zone "domain.com" in {
type slave;
masters { 10.0.1.3; };
file "zones/bak.domain.com-int";
};

zone "1.0.10.in-addr.arpa" in {
type slave;
masters { 10.0.1.3; };
file "zones/bak.10.0.1";
};
};

view "external" {
match-clients{ any; };
recursion no;

zone "domain.com" in {
type slave;
masters { 10.0.1.3; };
file "zones/bak.domain.com-ext";
};

zone "y.x.w.in-addr.arpa" in {
type slave;
masters { 10.0.1.3; };
file "zones/bak.w.x.y";
};
};

[Mark_A...@isc.org]

You will need to give the master and slave multiple IP addresses
and use those to make sure you reach the correct view on the other
machine.

e.g.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source 10.0.1.1;
external:
match-clients { any;}
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;

Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source 10.0.1.3;
external:
match-clients { any;}
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;

You put the external address on the alias so that all the other
dns clients on these boxes see the internal view by default.

Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org