First thought...and it's probably not related to the problem you're
having...if you're using "match-clients" to limit what IP blocks
can do lookups, what's with the "allow-query" line?
Second thought, more likely related...and I can't tell, based on the
snippet you presented...Are you listing all the private zones *inside* the
"view "private" {" stanza, and all of the public zones *inside* the "view
"public {" stanza?
On Mon, 16 Feb 2004, Bill Gradwohl wrote:
> bind 9-2-3 was running just fine on two name servers (master NS1 & slave
> NS2) until I implemented split DNS using "views".
>
> I've got about 30 zones, but I'll only present one.
> Here is the portion of my master named.conf that's of interest.
>
> view "private" {
> match-clients { 192.168.168.0/24; 127.0.0.0/8; 66.80.98.192/28; };
> recursion yes;
> zone "ycc.com" IN {
> type master;
> notify explicit;
> also-notify { 192.168.168.146; };
> file "zone/privateycc.com";
> # Allow the slave to transfer and inquire.
> allow-transfer { 192.168.168.146; 192.168.168.211; 192.168.168.54; };
> allow-query { internals; };
> };
> };
>
> view "public" {
> match-clients { any; };
> recursion no;
> zone "ycc.com" IN {
> type master;
> notify explicit;
> also-notify { 192.168.168.146; };
> file "zone/ycc.com";
> # Allow the slave to transfer and inquire.
> allow-transfer { 192.168.168.146; 192.168.168.211; 192.168.168.54; };
> allow-query { any; };
> };
> };
>
> Here's the equivalent from the slave box:
>
> view "private" {
> match-clients { 192.168.168.0/24; 127.0.0.0/8; 66.80.98.192/28; };
> recursion yes;
> zone "ycc.com" IN {
> type slave;
> notify no;
> masters { 192.168.168.144; };
> file "zone/privateycc.com";
> # Allow the slave to transfer and inquire.
> allow-transfer { 192.168.168.146; 192.168.168.211; 192.168.168.54; };
> allow-query { internals; };
> };
> };
>
> view "public" {
> match-clients { any; };
> recursion no;
> zone "ycc.com" IN {
> type slave;
> notify no;
> masters { 192.168.168.144; };
> file "zone/ycc.com";
> # Allow the slave to transfer and inquire.
> allow-transfer { 192.168.168.146; 192.168.168.211; 192.168.168.54; };
> allow-query { any; };
> };
> };
>
> I used a sed script to create the slave named.conf from the master version.
>
> As you can see, the zone files are called privateycc.com and ycc.com for the
> private and public DNS I'd like to manage. The file privateycc.com is full
> of nothing but 192.168.168.x addresses. The file ycc.com is full of nothing
> but 66.80.98.x addresses.
>
> Problem 1:
>
> Anyone on the net can query for ycc.com and they get the PRIVATE address.
> That's wrong! I have no idea how this is happening.
>
> Querying for mail.ycc.com, ns1.ycc.com, ns2.ycc.com, etc gets the proper
> PUBLIC address. Since the public zone file only contains public addresses,
> how can the name server be handing out a private address?
>
> Problem 2:
>
> I nuked the zone files on my NS2 box to make absolutely certain that a zone
> transfer would have to drag every zone file from NS1 over to it. Now the
> privateycc.com file is identical to the ycc.com file on NS2 only, after the
> zone transfer. On NS1 they are distinctly different. On NS2 only, every one
> of my 30 zones has identical private and public zone files, whereas on NS1
> they are distinctly different and correct.
>
> /var/log/named & messages show nothing wrong.
>
> Any ideas? I think its a bind bug, but I wanted more sets of brains looking
> at this.
>
> PS. I turned NS2 off for now to limit the weirdness only to NS1.
>
>
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request@xxxxxxxxxxxxxxxxx
with a message of:
subscribe
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
