私はBIND9.10.3-P4-Debianを実行しています。
私は2つの権威ネームサーバーを持っています:プライマリ(192.168.200.3)とセカンダリ(192.168.201.3)。
サブネット(192.168.200.0/22)上のホストにすべてのレコードを提供したい。これらのレコードは表示されていますinternal-view。
RFC 1918プライベートIPブロック内のIPアドレスを持つが、特定のサブネットに属していないホストに、すべてのレコードのサブセットを提供したいと思います。これらのレコードは表示されていますexternal-view。
2つのビューのそれぞれに異なるTSIGキーを設定することにより、各ビューが同じ名前のピアビューと通信するように強制しようとしています。
以下に示す構成では、internal-viewがプライマリからセカンダリに転送されます。ただし、external-viewはそうではありません。
一次側のログには次のように書かれています。
client 192.168.201.3#41723/key external-view (dct.example.com): view internal-view: zone transfer 'dct.example.com/AXFR/IN' denied
external-viewが必要であり、external-viewキーが提供されていますが、要求はinternal-viewに対するものと見なされることに注意してください。
以下のセカンダリサイドログは、セカンダリネームサーバーがexternal-viewを要求していると見なしていることを示しています。
二次側のログには次のように書かれています。
zone dct.example.com/IN/external-view: Transfer started.
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: connected using 192.168.201.3#41723
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: failed while receiving responses: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer status: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
一次構成と二次構成の関連部分を以下に示します。
誰かが私がどこで間違っているのかを見ることができますか?
よろしくお願いします。
options {
allow-transfer { none; };
};
key internal-view. {
algorithm hmac-sha512;
secret "5<redacted>==";
};
key external-view. {
algorithm hmac-sha512;
secret "y<redacted>==";
};
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
view "internal-view" {
match-clients { "internal-hosts"; };
server 192.168.201.3 { keys { internal-view.; }; };
allow-transfer { key internal-view.; };
zone "dct.example.com" {
type master;
file "zones/internal-view/db.dct.example.com";
forwarders { };
};
};
view "external-view" {
match-clients { "external-hosts"; };
server 192.168.201.3 { keys { external-view.; }; };
allow-transfer { key external-view.; };
zone "dct.example.com" {
type master;
file "zones/external-view/db.dct.example.com";
forwarders { };
};
};
options {
allow-transfer { none; };
};
key internal-view. {
algorithm hmac-sha512;
secret "5<redacted>==";
};
key external-view. {
algorithm hmac-sha512;
secret "y<redacted>==";
};
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
masters "dct-masters" { 192.168.200.3; };
view "internal-view" {
match-clients { "internal-hosts"; };
server 192.168.200.3 { keys { internal-view.; }; };
allow-transfer { key internal-view.; };
zone "dct.example.com" {
type slave;
file "zones/internal-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};
view "external-view" {
match-clients { "external-hosts"; };
server 192.168.200.3 { keys { external-view.; }; };
allow-transfer { key external-view.; };
zone "dct.example.com" {
type slave;
file "zones/external-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};
以下はトリックをしました。
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };
acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };
options {
directory "/etc/bind";
version none;
allow-query { "allowed-clients"; };
recursion no; # Override in views, where appropriate.
allow-recursion { none; }; # Override in views, where appropriate.
notify explicit; # Requires use of also-notify.
also-notify { }; # Who should we notify? For primary, override this in each view.
allow-notify { none; }; # Who can notify us? For secondary, override this in each view.
allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.
allow-update { none; };
allow-update-forwarding { none; };
# This allows *all* local network interfaces.
listen-on { localhost; };
forward only;
forwarders { 192.168.20.3; 192.168.30.3; };
statistics-file "named.stats";
dnssec-validation no;
dnssec-lookaside no;
auth-nxdomain no;
listen-on-v6 { none; };
};
key internal-view-key {
algorithm hmac-sha512;
secret "<redacted>";
};
key external-view-key {
algorithm hmac-sha512;
secret "<redacted>";
};
view "internal-view" {
match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
server 192.168.200.3 { keys { internal-view-key; }; };
server 192.168.201.3 { keys { internal-view-key; }; };
recursion yes;
allow-recursion { "internal-hosts"; };
also-notify { 192.168.201.3 key internal-view-key; }; # Who should we notify?
allow-notify { none; }; # Who can notify us?
# Who should we allow zone transfers to?
allow-transfer { !transfer-to-reject; key internal-view-key; };
zone "dct.example.com" {
type master;
file "zones/internal-view/db.dct.example.com";
forwarders { };
};
};
view "external-view" {
match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
server 192.168.200.3 { keys { external-view-key; }; };
server 192.168.201.3 { keys { external-view-key; }; };
recursion no;
allow-recursion { none; };
also-notify { 192.168.201.3 key external-view-key; }; # Who should we notify?
allow-notify { none; }; # Who can notify us?
# Who should we allow zone transfers to?
allow-transfer { !transfer-to-reject; key external-view-key; };
zone "dct.example.com" {
type master;
file "zones/external-view/db.dct.example.com";
forwarders { };
};
};
acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };
acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };
acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };
acl notify-to-allow { "primary-ns"; };
acl notify-to-reject { !"notify-to-allow"; any; };
acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };
options {
directory "/etc/bind";
version none;
allow-query { "allowed-clients"; };
recursion no; # Override in views, where appropriate.
allow-recursion { none; }; # Override in views, where appropriate.
notify explicit; # Requires use of also-notify.
also-notify { }; # Who should we notify? For primary, override this in each view.
allow-notify { none; }; # Who can notify us? For secondary, override this in each view.
allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.
allow-update { none; };
allow-update-forwarding { none; };
# This allows *all* local network interfaces.
listen-on { localhost; };
forward only;
forwarders { 192.168.20.3; 192.168.30.3; };
statistics-file "named.stats";
dnssec-validation no;
dnssec-lookaside no;
auth-nxdomain no;
listen-on-v6 { none; };
};
key internal-view-key {
algorithm hmac-sha512;
secret "<redacted>";
};
key external-view-key {
algorithm hmac-sha512;
secret "<redacted>";
};
masters "dct-masters" { 192.168.200.3; };
view "internal-view" {
match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
server 192.168.200.3 { keys { internal-view-key; }; };
server 192.168.201.3 { keys { internal-view-key; }; };
recursion yes;
allow-recursion { "internal-hosts"; };
also-notify { }; # Who should we notify?
allow-notify { !notify-to-reject; key internal-view-key; }; # Who can notify us?
# Who should we allow zone transfers to?
allow-transfer { !transfer-to-reject; key internal-view-key; };
zone "dct.example.com" {
type slave;
file "zones/internal-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};
view "external-view" {
match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
server 192.168.200.3 { keys { external-view-key; }; };
server 192.168.201.3 { keys { external-view-key; }; };
recursion no;
allow-recursion { none; };
also-notify { }; # Who should we notify?
allow-notify { !notify-to-reject; key external-view-key; }; # Who can notify us?
# Who should we allow zone transfers to?
allow-transfer { !transfer-to-reject; key external-view-key; };
zone "dct.example.com" {
type slave;
file "zones/external-view/bak.dct.example.com";
masters { dct-masters; };
forwarders { };
};
};