07 February 2014

Overview

ISC Bind support view clause. The view clause allows BIND to provide different functionality based on the hosts accessing it. In another words, you can server the same zone dependent on the clients request /mostly is the source ip/.

Setup such a scenario is really easy. But to enable correct AXFR to the slave server supporting these views, it took me some time figure out how to do that.

The easiest way is to have different IP om master and slave for the AXFR. But if you have many zones, you will need many IP addresses.

Using the TSIG is a little bt more complex but it works well. I will describe example with 2 views. Extend it to more views should be easy.

Setup

Let show the AXFR using one IP on each server and the TSIG.

Assume we have * views internal and external * dns master on IP 10.10.10.10 * dns slave on IP 20.20.20.20

On both servers (master and slave)

#### Generate the TSIG keys There are many ezamples how to do this but I will giude you steo by step.

Loginn to one of the server /master is prefferd/ and follow next steps

# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST transfer-internal
Ktransfer-internal.+157+14348
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST transfer-external
Ktransfer-external.+157+30686

and if you list the files you should see

# ls -1
Ktransfer-external.+157+30686.key
Ktransfer-external.+157+30686.private
Ktransfer-internal.+157+14348.key
Ktransfer-internal.+157+14348.private

and the content of the private parts of the keys is

# cat Ktransfer-internal.+157+14348.private 
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: KeYSJ2wL5ATTk0beyyLAvA==
Bits: AAA=
Created: 20140208161850
Publish: 20140208161850
Activate: 20140208161850

# cat Ktransfer-external.+157+30686.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: QM2N0SAM6Wsnkm+47iMUvA==
Bits: AAA=
Created: 20140208161855
Publish: 20140208161855
Activate: 20140208161855

Finaly add following statement to configuration files on both servers

key "transfer-internal" {
        algorithm hmac-md5; 
        secret "KeYSJ2wL5ATTk0beyyLAvA==";
};

key "transfer-external" {
        algorithm hmac-md5; 
        secret "QM2N0SAM6Wsnkm+47iMUvA==";
};

Define ACL

Define internal and external network ACL.

acl "internal" { 
	10.0.0.0/8; 127.0.0.1;
};

acl "external" { 
	192.168.0.0/16; 
};

On master server only

To the keys and acl configuration add folling lines

view "internal-view" {
    match-clients { 
       ! key transfer-external;
       internal; 
       key transfer-internal; 
    };
    allow-transfer { 20.20.20.20; };
    server 20.20.20.20 {
            keys "transfer-internal";
    };
	// add your zone configuration for INTERNAL VIEW HERE
};

view "external-view" {
    match-clients {
        ! key transfer-internal;
        external;
        key transfer-external;
    };
    allow-transfer { 20.20.20.20; };
    server 20.20.20.20 {
            keys "transfer-danubiatel";
    };
	// add your zone configuration for EXTERNAL VIEW HERE
};

Maybe you are asking why there are too much lines in match-clients statement. In mist cases the slave server ip belongs to the one of the views. After while I found out, that need to negate all other keys to get it working.

On slave server only

To the keys and acl configuration add folling lines

view "internal-view" {
    match-clients {
            ! key transfer-external;
            key transfer-internal;
            internal;
    };
    server 10.10.10.10 {
            keys "transfer-internal";
    };
	// add your zone configuration for INTERNAL VIEW HERE
};

view "external-view" {
    match-clients {
            ! key transfer-internal;
            key transfer-external;
            danubiatel;
    };
    server 10.10.10.10 {
            keys "transfer-external";
    };
	// add your zone configuration for EXTERNAL VIEW HERE
};