Re: Several (2) different views [SOLVED]
On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote: Just giving a feedback, this method worked great, but in my case, didn't have no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients directive in the view. Congratulations! You seem to have thought of a better (i.e. simpler) way to do it than I did. Learning is a two-way process. ATB Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
In message c83fec5a-10b3--934e-a2d8e3140...@ucd.ie, Niall O'Reilly writes : On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote: Just giving a feedback, this method worked great, but in my case, didn't ha ve no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients di rective in the view. Congratulations! You seem to have thought of a better (i.e. simpler) way to do it than I did. Learning is a two-way process. ATB Niall Running w/o negate keys in the match-clients acl is fragile and depends on the address of the master/slaves being in the last view whereas the scheme below works independently of which view the master/slave ip addresses match. key key1 { ... }; key key2 { ... }; key key3 { ... }; acl all-keys { key key1; key key2; key key3; } view view1 { match-clients { key key1; !all-keys; ... }; ... }; view view2 { match-clients { key key2; !all-keys; ... }; ... }; view view3 { match-clients { key key3; !all-keys; ... }; ... }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
You're absolutely right, I did have to set the view where the slave match the IP address as the last view in my config. I just didn't want to have a large list of negatives in each of my views definition, but you seem to have set a smarter way to do that in your example... Like Niall said before, learning is a two-way process... 2012/7/9 Mark Andrews ma...@isc.org In message c83fec5a-10b3--934e-a2d8e3140...@ucd.ie, Niall O'Reilly writes : On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote: Just giving a feedback, this method worked great, but in my case, didn't ha ve no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients di rective in the view. Congratulations! You seem to have thought of a better (i.e. simpler) way to do it than I did. Learning is a two-way process. ATB Niall Running w/o negate keys in the match-clients acl is fragile and depends on the address of the master/slaves being in the last view whereas the scheme below works independently of which view the master/slave ip addresses match. key key1 { ... }; key key2 { ... }; key key3 { ... }; acl all-keys { key key1; key key2; key key3; } view view1 { match-clients { key key1; !all-keys; ... }; ... }; view view2 { match-clients { key key2; !all-keys; ... }; ... }; view view3 { match-clients { key key3; !all-keys; ... }; ... }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
Just giving a feedback, this method worked great, but in my case, didn't have no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients directive in the view. So, when the slave tried to sync the zone, the matched the key, not the IP address, that way every zone was sync correctly. Thanks for your help! 2012/6/15 Niall O'Reilly niall.orei...@ucd.ie On 15 Jun 2012, at 01:14, Rodrigo Renie Braga wrote: I've been trying to find examples on how to use TSIG to replicate several differents views to a slave server, but I could only find with two views, and I just couldn't figure out how to adapt that example to 3 or more views. Could you send me example on how to accomplish that? Something like what follows below may be what you need. This supports 3 views, keyed on TSIG or by default on client address. For more views, no new ideas are needed. include /etc/select-tsig.keys;// keep keys in protected file acl captive-clients { // Purpose: triage for captive view key select-captive.ucd.ie.; // select on this key ! key select-internal.ucd.ie.;// by-pass ! key select-general.ucd.ie.; // by-pass 10.137.0.0/16;// Target networks 10.193.128.0/19; 10.193.160.0/20; }; acl internal-clients { // Purpose: triage for internal view key select-internal.ucd.ie.; // select on this key ! key select-captive.ucd.ie.; // by-pass (redundant) ! key select-general.ucd.ie.; // by-pass localhost; 172.16.0.0/16;// Special networks 10.224.0.0/16; }; // Clients not otherwise selected are offered general view // special-purpose view: 'captive' view captive { match-clients { captive-clients; }; // view details go here ... }; // End view captive view internal { match-clients { internal-clients; }; // view details go here ... }; // standard view: 'general' view general { match-clients { any; }; // view details go here ... }; I hope this helps. Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users