Views, Tsigs and updates on 9.3.2

2 msg	'Two-in-One DNS Server with BIND9'
4 msg	IdNS help with Bind 9.3.2
1 msg	Documentation for pgsql sdb driver
1 msg	Documentation for PGSQL SDB

Views, Tsigs and updates on 9.3.2
\ Angela Williams (23 Mar 2006)
. \ Angela Williams (24 Mar 2006)
. \ Jeff Lightner (24 Mar 2006)
. \ Angela Williams (24 Mar 2006)
. \ aklist_bind (24 Mar 2006)
. \ Joseph S D Yao (25 Mar 2006)
. . \ Angela Williams (27 Mar 2006)
. . . \ Joseph S D Yao (28 Mar 2006)

2 msg	Documentation for PgSQLDB SDB
7 msg	Question about this site web.da-us.citibank.com...
3 msg	Enterprise Class DNS
3 msg	SERVFAIL in reverse zones
3 msg	gethostbyaddr_r returns zero length hostname (a...
6 msg	unexpected RCODE
2 msg	stranger domain
2 msg	Multiple nameservers for multiple domain names ...
2 msg	MNAME in External Zone Files
1 msg	gandi.net: how to use email forwarding and cust...
2 msg	Several domain names in one machine.
2 msg	Being 'Notified', vs. being a true 'secondary'
10 msg	Help - Bind 9.3.2 die after run several days
4 msg	Caching reverse lookups...
3 msg	Another Lame NameServer Question

Subject:	Views, Tsigs and updates on 9.3.2
Group:	Bind-users
From:	Angela Williams
Date:	23 Mar 2006

Hi!
I have run a pair of bind 9.0.x servers - master and slave for all of our
various company domains plus a bunch of customer domains. Just works like a
wiz! Only problem is the two ip address update method! I want to move to
9.3.2!
I have setup two systems with Gentoo - my own desktop and another server which
is intended to become a new slave server once we closer to moving isp's
To this end I emerged bind and bind-tools on both boxes after checking that
that bind-9.3.2 was no longer masked in the portage tree.
I followed the steps in the 9.3 section of the FAQ - How can i make a server a
slave for both and internal and external view at the same time ........

I have basically copied the two named.conf snippets into my original
named.conf files from the two live servers after deleteing almost every
domain to make it easier to check updates.
Here is the problem!
I trashed the temporary zone files on the slave for both internal and external
views and started both servers named daemons. I then looked at the files
named wrote out for both views on the slave and they are both internal views!
Most unfair to have 'net users trying to connect to my internal ip's!

Ok here are the two named.conf files.

First the master server. IP Address 10.1.30.52

key "rndc-key" {
algorithm hmac-md5;
secret "UB3TJRIJp4wm6Bar4zkj==";
};

key "ext-key" {
algorithm hmac-md5;
secret "dDR06cI6T2ZoG/p+woiD==";
};

controls {
inet * port 953
allow { 127.0.0.1;
10.1.30.50;
}
keys { "rndc-key"; };
};

options {
directory "/var/named";
pid-file "/var/run/named.pid";
notify yes;
allow-transfer {
10.1.30.50;
};
};
//Our views
view "internal" {
// Only internal see us and can query us
match-clients { !key ext-key;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
127.0.0.1;
};
// and we will lookup outside of our ns
recursion yes;

// All the master servers!
zone "." {
type hint;
file "db.cache";
};
zone "eoh.co.za" {
type master;
file "master-zones/int/eoh.co.za.hosts1";
notify yes;
};
// The internal view ends here!
};

// Our external view!
view "external" {
match-clients { key ext-key; any; };
server 10.1.30.50 { keys ext-key; };
recursion no;
zone "eoh.co.za" {
type master;
file "master-zones/ext/eoh.co.za.hosts1";
notify yes;
};
// this is the end!
};

And here is my slave's - my PC on 10.1.30.50's named.conf

key "rndc-key" {
algorithm hmac-md5;
secret "UB3TJRIJp4wm6Bar4zkj==";
};

key "ext-key" {
algorithm hmac-md5;
secret "dDR06cI6T2ZoG/p+woiD==";
};
controls {
inet * port 953
allow { 127.0.0.1;
10.1.30.52;
10.1.30.50;}
keys { "rndc-key"; };
};
options {
directory "/var/bind";
listen-on-v6 { none; };
pid-file "/var/run/named/named.pid";
};

//Our views

view "internal" {
// Only internal see us and can query us
match-clients { !key ext-key;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
127.0.0.1;
};
recursion yes;

// All the master servers!
zone "." {
type hint;
file "db.cache";
};
zone "eoh.co.za" {
type slave;
file "slave-zones/int/eoh.co.za.hosts";
masters {
10.1.30.52;
};
};
// The internal view ends here!
};

// Our external view!
view "external" {
match-clients { key ext-key; any; };
server 10.1.0.52 { keys ext-key; };
recursion no;

zone "eoh.co.za" {
type slave;
file "slave-zones/ext/eoh.co.za.hosts";
masters {
10.1.30.52;
};
};
// The end of external view
};

Here are my two zone files!
First the external one for eoh.co.za
$ttl 3600
eoh.co.za. IN SOA eohns0.eoh.co.za. awilliams.eoh.co.za. (
2006030904
10815
3600
604800
3840 )
eoh.co.za. IN NS eohns0.eoh.co.za.
eoh.co.za. IN NS eohns1.eoh.co.za.
eohns0.eoh.co.za. IN A 10.1.30.52
eohns1.eoh.co.za. IN A 10.1.30.50

Now the internal one
$ttl 3600
eoh.co.za. IN SOA eohns0.eoh.co.za. awilliams.eoh.co.za. (
2006032301
10815
3600
604800
3840 )
eoh.co.za. IN NS eohns0.eoh.co.za.
eoh.co.za. IN NS eohns1.eoh.co.za.
eohns0.eoh.co.za. IN A 10.1.30.52
eohns1.eoh.co.za. IN A 10.1.30.50
mngc.eoh.co.za. IN A 10.1.30.199

I used ethereal to look at the packets back and forth once I had stopped
named on my PC - the slave 1.1.30.50, removed the temp zone files and
restarted named. I cannot see any Tsig signed data going back and forth!
I had originally had the keys called external as per FAQ and changed them to
see if it solved the problem! Nope!
I have run both sides with debug 5 but cannot see anything that makes sense!
The mailing list does not seem to show much either!

I then changed the serial number on the external view on master 10.1.30.52 and
did an rndc reload eoh.co.za. in external, ethereal shows the signed update
packet and a signed response but thats it!

Is the time in sync on both servers? Well as good as ntp can keep them! Both
run ntp servers synced to the same external time sources!

Ok the ball is now in the list's court!

Cheers
Ang

--
Angela Williams Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here! Bedfordview
awilliams Gauteng South Africa

Smile!! Jesus Loves You!!