Bind 9 with Views: zone transfer refused from master to slave

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bind 9 with Views: zone transfer refused from master to slave

Roberto Carna
Hi people, I have a master/slave Bind 9.10.3 servers configured with views and TSIG keys on a Debian 9 host. But the transfer from master to slave is refused in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com and white.com, with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in the zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
        algorithm hmac-md5;
        secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        also-notify { 10.0.0.2; };
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;  
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.one.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.one.db";
    also-notify { 10.0.0.2 key one; };
};
};

view "two" {
    match-clients { two; };
    server 10.0.0.2 { keys two; };
    recursion yes;
    allow-transfer { key two; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.two.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.two.db";
    also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        allow-transfer {"none";};
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;    
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
    match-clients { two; };
    server 10.0.0.1 { keys two; };
    recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.two.db";
};

};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Bind 9 with Views: zone transfer refused from master to slave

Lightner, Jeffrey

You have to use separate IPs for the separate views on the master and the slave.

Here we just put alias IPs on the primary interfaces and use those for the second view.

 

 

From: bind-users <[hidden email]> On Behalf Of Roberto Carna
Sent: Wednesday, July 03, 2019 3:21 PM
To: ML BIND Users <[hidden email]>
Subject: Bind 9 with Views: zone transfer refused from master to slave

 

Hi people, I have a master/slave Bind 9.10.3 servers configured with views and TSIG keys on a Debian 9 host. But the transfer from master to slave is refused in the slave side, there is no a descriptive error.

 

In both Views I have delegated the same two zones: black.com and white.com, with different records according to the view.

 

Please if I send my configuration, can you help me to detect the fail in the zone transfer from master to slave??? Thanks a lot in advance.

 

MASTER

named.conf:

key "rndc-key" {
        algorithm hmac-md5;
        secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        also-notify { 10.0.0.2; };
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;  
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.one.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.one.db";
    also-notify { 10.0.0.2 key one; };
};
};

view "two" {
    match-clients { two; };
    server 10.0.0.2 { keys two; };
    recursion yes;
    allow-transfer { key two; };

zone "black.com." {
    type master;
    file "/etc/bind/zones/black.com.two.db";
    also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
    type master;
    file "/etc/bind/zones/white.com.two.db";
    also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
        directory "/var/cache/bind";
        allow-transfer {"none";};
        dnssec-validation no;
        dnssec-enable yes;
        auth-nxdomain no;    
        allow-query { any; };
        notify explicit;
        recursion no;
        version "none";
};


named.conf.local:

key one {
     algorithm HMAC-MD5;
     secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
     algorithm HMAC-MD5;
     secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
     algorithm HMAC-MD5;
     secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
    match-clients { two; };
    server 10.0.0.1 { keys two; };
    recursion yes;

zone "black.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
    type slave;
    masters { 10.0.0.1 key one; };
    file "/etc/bind/zones/white.com.two.db";
};

};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9 with Views: zone transfer refused from master to slave

Bind-Users forum mailing list
On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
> You have to use separate IPs for the separate views on the master and
> the slave.

I thought you could use different TSIG keys to identify different zones
with a single IP at each end.

Is that not the case?



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9 with Views: zone transfer refused from master to slave

Sten Carlsen


On 03/07/2019 22.14, Grant Taylor via bind-users wrote:
On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
You have to use separate IPs for the separate views on the master and the slave.

I thought you could use different TSIG keys to identify different zones with a single IP at each end.

Is that not the case?
As far as I am aware the two views must use different keys, with the same IP the key (or the view's ACL) is the only thing to distinguish between the views.

You can use the same IP for both views at least on the master, I have that setup and have for a very long time seen it running without any problem. I do not use keys but let view ACL do the work.




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9 with Views: zone transfer refused from master to slave

Roberto Carna
Dear, thanks for your help.

As I have shown above, I use two views with a TSIG key for each view, but the zone transfer doesn't work.

Please can you send me your Bind views configuration if you can, on master and slave sides?

Thanks a lot again.

Regards!!!

El mié., 3 jul. 2019 a las 17:27, Sten Carlsen (<[hidden email]>) escribió:


On 03/07/2019 22.14, Grant Taylor via bind-users wrote:
On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
You have to use separate IPs for the separate views on the master and the slave.

I thought you could use different TSIG keys to identify different zones with a single IP at each end.

Is that not the case?
As far as I am aware the two views must use different keys, with the same IP the key (or the view's ACL) is the only thing to distinguish between the views.

You can use the same IP for both views at least on the master, I have that setup and have for a very long time seen it running without any problem. I do not use keys but let view ACL do the work.




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9 with Views: zone transfer refused from master to slave

Tony Finch
Roberto Carna <[hidden email]> wrote:
>
> As I have shown above, I use two views with a TSIG key for each view, but
> the zone transfer doesn't work.

The redacted config you posted did not consistently use key one in view
one and key two in view two. I don't know if your real config has the same
mistake or not.

You might find your logs help you to debug the problem, though recent
versions of BIND are better at logging details of TSIG keys.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Trafalgar: Cyclonic 4 or 5, occasionally 6 in north. Moderate or rough.
Thundery showers. Good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9 with Views: zone transfer refused from master to slave

Roberto Carna
Dear people, finalla I could put to work my zone transfers.

I have review my config one more time and I am using one TSIG key for each view. 

Thanks a lot, regards!!!

El jue., 4 jul. 2019 a las 9:38, Tony Finch (<[hidden email]>) escribió:
Roberto Carna <[hidden email]> wrote:
>
> As I have shown above, I use two views with a TSIG key for each view, but
> the zone transfer doesn't work.

The redacted config you posted did not consistently use key one in view
one and key two in view two. I don't know if your real config has the same
mistake or not.

You might find your logs help you to debug the problem, though recent
versions of BIND are better at logging details of TSIG keys.

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Trafalgar: Cyclonic 4 or 5, occasionally 6 in north. Moderate or rough.
Thundery showers. Good, occasionally poor.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users