1
I am running BIND 9.10.3-P4-Debian.
I have two authoritative nameservers: a primary (192.168.200.3) and a secondary (192.168.201.3).
I want to serve all records to hosts on my subnet (192.168.200.0/22). These records are in view internal-view.
I want to serve a subset of all records to hosts with an IP address in an RFC 1918 private IP block but who are not in my particular subnet. These records are in view external-view.
I am trying to force each view to talk to its similarly-named peer view by having different TSIG keys for each of the two views.
With the configuration shown below, internal-view gets transferred from the primary to the secondary. However, external-view does not.
The primary-side log says:
client 192.168.201.3#41723/key external-view (dct.example.com): view internal-view: zone transfer 'dct.example.com/AXFR/IN' denied
Note that external-view is desired and that external-view key has been offered, but the request is seen as being for internal-view.
The secondary-side log below shows that the secondary nameserver thinks it's asking for external-view.
The secondary-side log says:
zone dct.example.com/IN/external-view: Transfer started.
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: connected using 192.168.201.3#41723
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: failed while receiving responses: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer status: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
The relevant portions of the primary and secondary configurations are shown below.
Is anybody able to see where I am going wrong?
Thank you in advance for any help.
PRIMARY CONFIGURATION
options {
allow-transfer { none; };
};
key internal-view. {
algorithm hmac-sha512;
secret "5<redacted>==";
};
key external-view. {
algorithm hmac-sha512;
secret "y<redacted>==";
};
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
view "internal-view" {
match-clients { "internal-hosts"; };
server 192.168.201.3 { keys { internal-view.; }; };
allow-transfer { key internal-view.; };
zone "dct.example.com" {
type master;
file "zones/internal-view/db.dct.example.com";
forwarders { };
};
};
view "external-view" {
match-clients { "external-hosts"; };
server 192.168.201.3 { keys { external-view.; }; };
allow-transfer { key external-view.; };
zone "dct.example.com" {
type master;
file "zones/external-view/db.dct.example.com";
forwarders { };
};
};
SECONDARY CONFIGURATION
options {
allow-transfer { none; };
};
key internal-view. {
algorithm hmac-sha512;
secret "5<redacted>==";
};
key external-view. {
algorithm hmac-sha512;
secret "y<redacted>==";
};
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
masters "dct-masters" { 192.168.200.3; };
view "internal-view" {
match-clients { "internal-hosts"; };
server 192.168.200.3 { keys { internal-view.; }; };
allow-transfer { key internal-view.; };
zone "dct.example.com" {
type slave;
file "zones/internal-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};
view "external-view" {
match-clients { "external-hosts"; };
server 192.168.200.3 { keys { external-view.; }; };
allow-transfer { key external-view.; };
zone "dct.example.com" {
type slave;
file "zones/external-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};