Re: Several (2) different views [SOLVED]
On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote: Just giving a feedback, this method worked great, but in my case, didn't have no negate the keys in the ACL (like the example below), I created one key for each ACL in my configuration and used that ACL for the match-clients directive in the view. Congratulations! You seem to have thought of a better (i.e. simpler) way to do it than I did. Learning is a two-way process. ATB Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
In message c83fec5a-10b3--934e-a2d8e3140...@ucd.ie, Niall O'Reilly writes
:
On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote:
Just giving a feedback, this method worked great, but in my case, didn't ha
ve no negate the keys in the ACL (like the example below), I created one key
for each ACL in my configuration and used that ACL for the match-clients di
rective in the view.
Congratulations!
You seem to have thought of a better (i.e. simpler) way to do it
than I did. Learning is a two-way process.
ATB
Niall
Running w/o negate keys in the match-clients acl is fragile and
depends on the address of the master/slaves being in the last view
whereas the scheme below works independently of which view the
master/slave ip addresses match.
key key1 { ... };
key key2 { ... };
key key3 { ... };
acl all-keys { key key1; key key2; key key3; }
view view1 { match-clients { key key1; !all-keys; ... }; ... };
view view2 { match-clients { key key2; !all-keys; ... }; ... };
view view3 { match-clients { key key3; !all-keys; ... }; ... };
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
You're absolutely right, I did have to set the view where the slave match
the IP address as the last view in my config. I just didn't want to have a
large list of negatives in each of my views definition, but you seem to
have set a smarter way to do that in your example... Like Niall said
before, learning is a two-way process...
2012/7/9 Mark Andrews ma...@isc.org
In message c83fec5a-10b3--934e-a2d8e3140...@ucd.ie, Niall O'Reilly
writes
:
On 3 Jul 2012, at 21:21, Rodrigo Renie Braga wrote:
Just giving a feedback, this method worked great, but in my case,
didn't ha
ve no negate the keys in the ACL (like the example below), I created one
key
for each ACL in my configuration and used that ACL for the
match-clients di
rective in the view.
Congratulations!
You seem to have thought of a better (i.e. simpler) way to do it
than I did. Learning is a two-way process.
ATB
Niall
Running w/o negate keys in the match-clients acl is fragile and
depends on the address of the master/slaves being in the last view
whereas the scheme below works independently of which view the
master/slave ip addresses match.
key key1 { ... };
key key2 { ... };
key key3 { ... };
acl all-keys { key key1; key key2; key key3; }
view view1 { match-clients { key key1; !all-keys; ... }; ... };
view view2 { match-clients { key key2; !all-keys; ... }; ... };
view view3 { match-clients { key key3; !all-keys; ... }; ... };
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Several (2) different views [SOLVED]
Just giving a feedback, this method worked great, but in my case, didn't
have no negate the keys in the ACL (like the example below), I created one
key for each ACL in my configuration and used that ACL for the
match-clients directive in the view.
So, when the slave tried to sync the zone, the matched the key, not the IP
address, that way every zone was sync correctly.
Thanks for your help!
2012/6/15 Niall O'Reilly niall.orei...@ucd.ie
On 15 Jun 2012, at 01:14, Rodrigo Renie Braga wrote:
I've been trying to find examples on how to use TSIG to replicate
several differents views to a slave server, but I could only find with two
views, and I just couldn't figure out how to adapt that example to 3 or
more views.
Could you send me example on how to accomplish that?
Something like what follows below may be what you need.
This supports 3 views, keyed on TSIG or by default on
client address. For more views, no new ideas are needed.
include /etc/select-tsig.keys;// keep keys in protected file
acl captive-clients {
// Purpose: triage for captive view
key select-captive.ucd.ie.; // select on this key
! key select-internal.ucd.ie.;// by-pass
! key select-general.ucd.ie.; // by-pass
10.137.0.0/16;// Target networks
10.193.128.0/19;
10.193.160.0/20;
};
acl internal-clients {
// Purpose: triage for internal view
key select-internal.ucd.ie.; // select on this key
! key select-captive.ucd.ie.; // by-pass (redundant)
! key select-general.ucd.ie.; // by-pass
localhost;
172.16.0.0/16;// Special networks
10.224.0.0/16;
};
// Clients not otherwise selected are offered general view
// special-purpose view: 'captive'
view captive {
match-clients { captive-clients; };
// view details go here ...
}; // End view captive
view internal {
match-clients { internal-clients; };
// view details go here ...
};
// standard view: 'general'
view general {
match-clients { any; };
// view details go here ...
};
I hope this helps.
Niall O'Reilly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
