Re: View selection via TSIG
In message 6913b169-0b0e-42e0-bc30-92d188036...@tcbug.org, Josh Paetzel write
s:
On Aug 19, 2009, at 11:07 AM, Kirk wrote:
logging {
channel my_log {
file /var/log/bind/named.log versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category notify {
my_log;
};
};
I've changed the category to default to make sure that it can log
that and it can.
Thanks,
Josh Paetzel
Josh,
I can't answer your question about views, but here is the pertinent
logging statements I am using and seems to work.
channel notify {
file logs/notify_log versions 2 size 1m;
print-time yes;
};
category notify { notify; };
If you are running chroot you might wanna verify that named can log
to the directory you listed in your logging statement.
Thanks. That worked, and I was quickly able to see what I was doing
wrong. My primary nameserver was matching an IP in one of the
views. So all the notifies were seen by slave as being in that one
view. IPs override keys.
Acl matches are order sensitive. The !key is in the examples to prevent
the signed message matching the view and moving onto the next one.
Issue solved, thanks everyone who helped.
Thanks,
Josh Paetzel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: View selection via TSIG
On Aug 19, 2009, at 6:30 PM, Mark Andrews wrote:
Thanks. That worked, and I was quickly able to see what I was doing
wrong. My primary nameserver was matching an IP in one of the
views. So all the notifies were seen by slave as being in that one
view. IPs override keys.
Acl matches are order sensitive. The !key is in the examples to
prevent
the signed message matching the view and moving onto the next one.
Ok, that makes even more sense. I was getting what appeared to be
very non-deterministic behavior, but well, of course, once you know
the rules it makes a lot of sense.
In my case with multiple views and multiple keys..
{ subnet A; key A;};
{ subnet B; key B;};
{subnet C; key C;};
{subnet D; key D}:
If the server was in subnet C, and used key A or B it would work fine,
but just by coincidence. Key C would work too, once again, by
coincidence...but key D...boom.
Anyways, it's working great now. Thanks to everyone who helped.
Thanks,
Josh Paetzel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: View selection via TSIG
On Aug 16, 2009, at 12:26 AM, Mark Andrews wrote: In message 5ea10b89-4650-4f82-a41d-cb511ce2a...@tcbug.org, Josh Paetzel write s: I've googled a bit and been unable to find the solution that I need. I have a master nameserver that has 4 views configured. I have a slave for this that is currently using 4 IPs to slave the views. This works fairly well, except that the slave server is unable to handle NOTIFY from the master. So when I do an update to a zone I have to stop the slave, delete it's cache files, and restart it. The slave is able to properly load zones, since it uses the correct IPs to transfer the zones, and it gets the right views, all is well. I've read that BIND 9.3 can use TSIG for view selection, but all I've ben able to find is using TSIG for one view, and no TSIG for the other view. What I would like to do is configure four separate TSIG keys and do view selection based on which key is used. Is this possible? And where can I find documentation on it? Yes. Read the FAQ. I read the FAQ, and there was a question entitled How to share a dynamic zone between multiple views? that seemed to get me most of the way there. I am now running my slave nameserver on one IP, and zones transfers seem to work fine. NOTIFY also seems to work for every view but the external view. This is somewhat perplexing to me. Tomorrow I plan on turning on logging for NOTIFY to see if I can at least determine what is going on. If you have any tips or common gotchas feel free to let me know. Thanks, Josh Paetzel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: View selection via TSIG
In message 96123fb1-1f2e-493c-bbb8-24a86a1dd...@tcbug.org, Josh Paetzel write s: On Aug 16, 2009, at 12:26 AM, Mark Andrews wrote: In message 5ea10b89-4650-4f82-a41d-cb511ce2a...@tcbug.org, Josh Paetzel write s: I've googled a bit and been unable to find the solution that I need. I have a master nameserver that has 4 views configured. I have a slave for this that is currently using 4 IPs to slave the views. This works fairly well, except that the slave server is unable to handle NOTIFY from the master. So when I do an update to a zone I have to stop the slave, delete it's cache files, and restart it. The slave is able to properly load zones, since it uses the correct IPs to transfer the zones, and it gets the right views, all is well. I've read that BIND 9.3 can use TSIG for view selection, but all I've ben able to find is using TSIG for one view, and no TSIG for the other view. What I would like to do is configure four separate TSIG keys and do view selection based on which key is used. Is this possible? And where can I find documentation on it? Yes. Read the FAQ. I read the FAQ, and there was a question entitled How to share a dynamic zone between multiple views? that seemed to get me most of the way there. I am now running my slave nameserver on one IP, and zones transfers seem to work fine. NOTIFY also seems to work for every view but the external view. This is somewhat perplexing to me. Tomorrow I plan on turning on logging for NOTIFY to see if I can at least determine what is going on. If you have any tips or common gotchas feel free to let me know. Thanks, Josh Paetzel You need to make the notify go to the correct view by using appropriate server clauses at the view level. It's a matter of making what the master sends match what the client expects. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
View selection via TSIG
I've googled a bit and been unable to find the solution that I need. I have a master nameserver that has 4 views configured. I have a slave for this that is currently using 4 IPs to slave the views. This works fairly well, except that the slave server is unable to handle NOTIFY from the master. So when I do an update to a zone I have to stop the slave, delete it's cache files, and restart it. The slave is able to properly load zones, since it uses the correct IPs to transfer the zones, and it gets the right views, all is well. I've read that BIND 9.3 can use TSIG for view selection, but all I've ben able to find is using TSIG for one view, and no TSIG for the other view. What I would like to do is configure four separate TSIG keys and do view selection based on which key is used. Is this possible? And where can I find documentation on it? # named -v BIND 9.4.3-P2 I'm also willing to other solutions, or providing a look in to my configuration if BIND should be able to handle the NOTIFYs Thanks, Josh Paetzel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: View selection via TSIG
In message 5ea10b89-4650-4f82-a41d-cb511ce2a...@tcbug.org, Josh Paetzel write s: I've googled a bit and been unable to find the solution that I need. I have a master nameserver that has 4 views configured. I have a slave for this that is currently using 4 IPs to slave the views. This works fairly well, except that the slave server is unable to handle NOTIFY from the master. So when I do an update to a zone I have to stop the slave, delete it's cache files, and restart it. The slave is able to properly load zones, since it uses the correct IPs to transfer the zones, and it gets the right views, all is well. I've read that BIND 9.3 can use TSIG for view selection, but all I've ben able to find is using TSIG for one view, and no TSIG for the other view. What I would like to do is configure four separate TSIG keys and do view selection based on which key is used. Is this possible? And where can I find documentation on it? Yes. Read the FAQ. # named -v BIND 9.4.3-P2 I'm also willing to other solutions, or providing a look in to my configuration if BIND should be able to handle the NOTIFYs Thanks, Josh Paetzel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
