need allow-transfer parameter in views.conf
Closed this issue · 0 comments
Please see https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html and search for the string: allow-transfer { key trusted-key; };
I need to enter this parameter in the file "views.conf" to support my split dns configuration.
The allow-transfer parameter is required because I would like to have a slave nameserver with two views, one for external accesses and the other for internal accesses. Bind decides which view to use by the IP address of the client (defined in acls.conf). When Puppet updates the master nameserver, the nameserver sends notifications to its slaves. If the slave nameserver is on the internal network then for any zone transfer the internal master zone is used. If it is on the external network then the external master zone is used. Therefore it is not possible to configure a slave nameserver with both an internal and external view - they will always be updated from the same master zone file.
To force the zone update from the correct zone file, I have to use a zone file like this one on the slave (note the "key external" parameter in the masters section. I can enter this in the puppet configuration without problems):
# This file managed by puppet - changes will be lost
zone "example.com" {
type slave;
file "/var/cache/bind/example.com-external/example.com";
notify no;
allow-notify {
10.1.1.6;
};
masters {
10.1.1.6 key external;
};
};
and a views.conf file like this one on the master (note the allow-transfer { key external; }; entry).
# This file is managed by puppet - changes will be lost
view "external" {
match-clients {
external;
};
recursion no;
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones/example.com-external.conf";
allow-transfer { key external; };
};
If I use this configuration all slaves update correctly, however it is not possible to add the allow-transfer { key external; }; parameter using Puppet.