web-dev-qa-db-ja.com

バインド9ゾーン転送が表示を拒否されました

私はBIND9.10.3-P4-Debianを実行しています。

私は2つの権威ネームサーバーを持っています:プライマリ(192.168.200.3)とセカンダリ(192.168.201.3)。

サブネット(192.168.200.0/22)上のホストにすべてのレコードを提供したい。これらのレコードは表示されていますinternal-view

RFC 1918プライベートIPブロック内のIPアドレスを持つが、特定のサブネットに属していないホストに、すべてのレコードのサブセットを提供したいと思います。これらのレコードは表示されていますexternal-view

2つのビューのそれぞれに異なるTSIGキーを設定することにより、各ビューが同じ名前のピアビューと通信するように強制しようとしています。

以下に示す構成では、internal-viewがプライマリからセカンダリに転送されます。ただし、external-viewはそうではありません。

一次側のログには次のように書かれています。

client 192.168.201.3#41723/key external-view (dct.example.com): view internal-view: zone transfer 'dct.example.com/AXFR/IN' denied

external-viewが必要であり、external-viewキーが提供されていますが、要求はinternal-viewに対するものと見なされることに注意してください。

以下のセカンダリサイドログは、セカンダリネームサーバーがexternal-viewを要求していると見なしていることを示しています。

二次側のログには次のように書かれています。

zone dct.example.com/IN/external-view: Transfer started.
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: connected using 192.168.201.3#41723
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: failed while receiving responses: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer status: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

一次構成と二次構成の関連部分を以下に示します。

誰かが私がどこで間違っているのかを見ることができますか?

よろしくお願いします。

一次構成

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.201.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.201.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

二次構成

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.200.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.200.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};
linuxdnsbind
1
Dave

以下はトリックをしました。

一次構成

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { 192.168.201.3 key internal-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { 192.168.201.3 key external-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

二次構成

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl notify-to-allow { "primary-ns"; };
acl notify-to-reject { !"notify-to-allow"; any; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key internal-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key external-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};
0
Dave