Bind 9 Zone Transfer Denied for View

1

I am running BIND 9.10.3-P4-Debian.

I have two authoritative nameservers: a primary (192.168.200.3) and a secondary (192.168.201.3).

I want to serve all records to hosts on my subnet (192.168.200.0/22). These records are in view internal-view.

I want to serve a subset of all records to hosts with an IP address in an RFC 1918 private IP block but who are not in my particular subnet. These records are in view external-view.

I am trying to force each view to talk to its similarly-named peer view by having different TSIG keys for each of the two views.

With the configuration shown below, internal-view gets transferred from the primary to the secondary. However, external-view does not.

The primary-side log says:

client 192.168.201.3#41723/key external-view (dct.example.com): view internal-view: zone transfer 'dct.example.com/AXFR/IN' denied

Note that external-view is desired and that external-view key has been offered, but the request is seen as being for internal-view.

The secondary-side log below shows that the secondary nameserver thinks it's asking for external-view.

The secondary-side log says:

zone dct.example.com/IN/external-view: Transfer started.
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: connected using 192.168.201.3#41723
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: failed while receiving responses: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer status: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

The relevant portions of the primary and secondary configurations are shown below.

Is anybody able to see where I am going wrong?

Thank you in advance for any help.

PRIMARY CONFIGURATION

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.201.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.201.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

SECONDARY CONFIGURATION

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.200.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.200.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

Dave

Posted 2019-05-10T18:14:29.147

Reputation: 597

Answers

0

The following did the trick.

PRIMARY CONFIGURATION

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { 192.168.201.3 key internal-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { 192.168.201.3 key external-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

SECONDARY CONFIGURATION

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl notify-to-allow { "primary-ns"; };
acl notify-to-reject { !"notify-to-allow"; any; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key internal-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key external-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

Dave

Posted 2019-05-10T18:14:29.147

Reputation: 597

Asked: 2019-05-10T18:14:29.147

Viewed: 152 times

Active: 2019-06-14T12:16:49.783