我有一个简单的实验室/测试主/从配置(如下所示),我想将两个视图都传输给从属。
不幸的是,在区域传输之后,从属服务器的两个视图都有来自主服务器“外部”视图的记录。我在 serverfault 上阅读了几个有关类似问题的其他主题,但对我都不起作用。
主服务器(10.1.10.99):
acl "internals" {
127.0.0.0/8;
10.1.20.0/24;
};
acl "externals" {
10.1.10.0/24;
};
key "external_key" {
algorithm hmac-md5;
secret "xxxxx";
};
view "internal"
{
also-notify {10.1.10.103; };
match-clients {key "!external_key"; "internals"; };
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
[...]
view "external"
{
match-clients {key "external_key"; "externals"; };
server 10.1.10.103 { keys "external_key";};
zone "example.com" {
type master;
file "/etc/bind/db.external.example.com";
};
};
从属(10.1.10.103):
acl "internals" {
127.0.0.0/8;
10.1.20.0/24;
};
acl "externals" {
10.1.10.0/24;
};
key external_key {
algorithm hmac-md5;
secret "xxxxx";
};
view "internal"
{
match-clients {key "!external_key" ;"internals"; };
zone "example.com" {
type slave;
masters {10.1.10.99;};
};
[...]
};
view "external"
{
match-clients {key "external_key"; "externals"; };
server 10.1.10.99 { keys "external_key";};
zone "example.com" {
type slave;
masters { 10.1.10.99;};
};
};
在我的奴隶上我得到:
Nov 24 23:36:24 ubuntu named[654]: zone example.com/IN/external: Transfer started.
Nov 24 23:36:24 ubuntu named[654]: zone example.com/IN/internal: Transfer started.
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/external' from 10.1.10.99#53: connected using 10.1.10.103#58947 TSIG external_key
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/internal' from 10.1.10.99#53: connected using 10.1.10.103#46287
Nov 24 23:36:24 ubuntu named[654]: zone example.com/IN/external: transferred serial 2006020201: TSIG 'external_key'
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/external' from 10.1.10.99#53: Transfer status: success
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/external' from 10.1.10.99#53: Transfer completed: 1 messages, 6 records, 259 bytes, 0.008 secs (32375 bytes/sec)
Nov 24 23:36:24 ubuntu named[654]: zone example.com/IN/internal: transferred serial 2006020201
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/internal' from 10.1.10.99#53: Transfer status: success
Nov 24 23:36:24 ubuntu named[654]: transfer of 'example.com/IN/internal' from 10.1.10.99#53: Transfer completed: 1 messages, 6 records, 177 bytes, 0.009 secs (19666 bytes/sec)
看起来两个视图都已正确传输,但在主视图上我得到:
Nov 24 23:36:23 ubuntu named[2240]: client @0x7f4a700d5cb0 10.1.10.103#58947/key external_key (example.com): view external: transfer of 'example.com/IN': AXFR started: TSIG external_key (serial 2006020201)
Nov 24 23:36:23 ubuntu named[2240]: client @0x7f4a700d5cb0 10.1.10.103#58947/key external_key (example.com): view external: transfer of 'example.com/IN': AXFR ended
Nov 24 23:36:23 ubuntu named[2240]: client @0x7f4a70057690 10.1.10.103#46287 (example.com): view external: transfer of 'example.com/IN': AXFR started (serial 2006020201)
Nov 24 23:36:23 ubuntu named[2240]: client @0x7f4a70057690 10.1.10.103#46287 (example.com): view external: transfer of 'example.com/IN': AXFR ended
看起来外部视图被转移了两次。
我也尝试遵循:https://kb.isc.org/docs/aa-00296但没有帮助。
任何建议/帮助都将不胜感激。
答案1
当前,当没有使用密钥时,从属设备会匹配“错误”的视图(根据您的 IP 匹配规则)。
最明显和最可靠的解决方案可能是为此目的为每个视图设置一个键,并根据每个视图中的所有键(正/负)进行匹配。
这样,您就可以消除当前哪个视图具有与其关联的键的因素,结合视图顺序,结合常规客户端的基于 IP 的匹配规则。使用您当前的方法,这种组合对于正确使用至关重要(问题源于这种组合不正确)。