Zone transfers on a split-view Bind DNS system

Question

I have a 2-server BIND 9 setup. Server A (the 'master' server) is properly setup with two views, one for local DNS clients (allowing recursive lookups for non-authorotive domains) and one view for the rest of the world, allowing only queries for local authorotive domains.

I want to configure the second server (let's name that Server B, or the 'slave' server) a similar way. Unfortunately this does not work properly. Once enabled, any notify from server A will correctly update/transfer the respective zone, but only the 'protected' view will serve the updated information. The 'external' view on server B still returns the 'old' information, until the server is restarted.

Answer 1

from bind 9.3 on, you can associate views using TSIG.

Take a look here: How do I share a dynamic zone between multiple views?

Answer 2

One of the tricks here is to ensure that the two zones are transferring from the correct views. If you have zone "example.com" in both the internal and external views, tell the servers to transfer from the internal and external IP addresses as masters (on the slaves) choosing the correct internal/external one for each.

You may also need to explicitly tell BIND to "also-notify" the slave's view(s) as well for each zone.

Answer 3

Bind 9.10 has a new in-view zone option to say that “this zone I am defining in this view is really the same zone as the one I previously defined in this other view”. This will keep Bind informed that the zones are not separate zones but in reality the same zone.

Answer 4

I had a similar problem. According to this page from the ISC knowledge base you need to differentiate between the views using a shared key. At least that was the only way I've got it working, and it now works flawlessly after I had first wasted several hours by trying other methods.

BIND 9.9.5.