Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-04 Thread Roberto Carna 
Dear people, finalla I could put to work my zone transfers.

I have review my config one more time and I am using one TSIG key for each
view.

Thanks a lot, regards!!!

El jue., 4 jul. 2019 a las 9:38, Tony Finch () escribió:

> Roberto Carna  wrote:
> >
> > As I have shown above, I use two views with a TSIG key for each view, but
> > the zone transfer doesn't work.
>
> The redacted config you posted did not consistently use key one in view
> one and key two in view two. I don't know if your real config has the same
> mistake or not.
>
> You might find your logs help you to debug the problem, though recent
> versions of BIND are better at logging details of TSIG keys.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Trafalgar: Cyclonic 4 or 5, occasionally 6 in north. Moderate or rough.
> Thundery showers. Good, occasionally poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-04 Thread Tony Finch 
Roberto Carna  wrote:
>
> As I have shown above, I use two views with a TSIG key for each view, but
> the zone transfer doesn't work.

The redacted config you posted did not consistently use key one in view
one and key two in view two. I don't know if your real config has the same
mistake or not.

You might find your logs help you to debug the problem, though recent
versions of BIND are better at logging details of TSIG keys.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Trafalgar: Cyclonic 4 or 5, occasionally 6 in north. Moderate or rough.
Thundery showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-04 Thread Roberto Carna 
Dear, thanks for your help.

As I have shown above, I use two views with a TSIG key for each view, but
the zone transfer doesn't work.

Please can you send me your Bind views configuration if you can, on master
and slave sides?

Thanks a lot again.

Regards!!!

El mié., 3 jul. 2019 a las 17:27, Sten Carlsen ()
escribió:

>
>
> On 03/07/2019 22.14, Grant Taylor via bind-users wrote:
>
> On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
>
> You have to use separate IPs for the separate views on the master and the
> slave.
>
>
> I thought you could use different TSIG keys to identify different zones
> with a single IP at each end.
>
> Is that not the case?
>
> As far as I am aware the two views must use different keys, with the same
> IP the key (or the view's ACL) is the only thing to distinguish between the
> views.
>
> You can use the same IP for both views at least on the master, I have that
> setup and have for a very long time seen it running without any problem. I
> do not use keys but let view ACL do the work.
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Sten Carlsen 


On 03/07/2019 22.14, Grant Taylor via bind-users wrote:
> On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
>> You have to use separate IPs for the separate views on the master and
>> the slave.
>
> I thought you could use different TSIG keys to identify different
> zones with a single IP at each end.
>
> Is that not the case?
As far as I am aware the two views must use different keys, with the
same IP the key (or the view's ACL) is the only thing to distinguish
between the views.

You can use the same IP for both views at least on the master, I have
that setup and have for a very long time seen it running without any
problem. I do not use keys but let view ACL do the work.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Grant Taylor via bind-users 

On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
You have to use separate IPs for the separate views on the master and 
the slave.


I thought you could use different TSIG keys to identify different zones 
with a single IP at each end.


Is that not the case?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Lightner, Jeffrey 
You have to use separate IPs for the separate views on the master and the slave.

Here we just put alias IPs on the primary interfaces and use those for the 
second view.


From: bind-users  On Behalf Of Roberto Carna
Sent: Wednesday, July 03, 2019 3:21 PM
To: ML BIND Users 
Subject: Bind 9 with Views: zone transfer refused from master to slave

Hi people, I have a master/slave Bind 9.10.3 servers configured with views and 
TSIG keys on a Debian 9 host. But the transfer from master to slave is refused 
in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com 
and white.com, with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in the 
zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
algorithm hmac-md5;
secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
also-notify { 10.0.0.2; };
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.one.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.one.db";
also-notify { 10.0.0.2 key one; };
};
};

view "two" {
match-clients { two; };
server 10.0.0.2 { keys two; };
recursion yes;
allow-transfer { key two; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.two.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.two.db";
also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
match-clients { two; };
server 10.0.0.1 { keys two; };
recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.two.db";
};

};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users