View selection via TSIG

View selection via TSIG

Post by Josh Paetz » Mon, 17 Aug 2009 06:45:23


I've googled a bit and been unable to find the solution that I need.

I have a master nameserver that has 4 views configured. I have a
slave for this that is currently using 4 IPs to slave the views. This
works fairly well, except that the slave server is unable to handle
NOTIFY from the master. So when I do an update to a zone I have to
stop the slave, delete it's cache files, and restart it. The slave is
able to properly load zones, since it uses the correct IPs to transfer
the zones, and it gets the right views, all is well.

I've read that BIND 9.3 can use TSIG for view selection, but all I've
ben able to find is using TSIG for one view, and no TSIG for the other
view. What I would like to do is configure four separate TSIG keys
and do view selection based on which key is used.

Is this possible? And where can I find documentation on it?

# named -v
BIND 9.4.3-P2

I'm also willing to other solutions, or providing a look in to my
configuration if BIND should be able to handle the NOTIFYs

Thanks,

Josh Paetzel
 
 
 

View selection via TSIG

Post by Mark Andre » Mon, 17 Aug 2009 14:26:16


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:

Yes. Read the FAQ.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM

 
 
 

View selection via TSIG

Post by Mark Andre » Mon, 17 Aug 2009 14:26:16


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:

Yes. Read the FAQ.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Josh Paetz » Wed, 19 Aug 2009 12:28:44


I read the FAQ, and there was a question entitled "How to share a
dynamic zone between multiple views?" that seemed to get me most of
the way there. I am now running my slave nameserver on one IP, and
zones transfers seem to work fine. NOTIFY also seems to work for
every view but the external view. This is somewhat perplexing to me.
Tomorrow I plan on turning on logging for NOTIFY to see if I can at
least determine what is going on.

If you have any tips or common gotchas feel free to let me know.

Thanks,

Josh Paetzel




_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Josh Paetz » Wed, 19 Aug 2009 12:28:44


I read the FAQ, and there was a question entitled "How to share a
dynamic zone between multiple views?" that seemed to get me most of
the way there. I am now running my slave nameserver on one IP, and
zones transfers seem to work fine. NOTIFY also seems to work for
every view but the external view. This is somewhat perplexing to me.
Tomorrow I plan on turning on logging for NOTIFY to see if I can at
least determine what is going on.

If you have any tips or common gotchas feel free to let me know.

Thanks,

Josh Paetzel
 
 
 

View selection via TSIG

Post by Mark Andre » Wed, 19 Aug 2009 13:08:01


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:


You need to make the notify go to the correct view by using
appropriate server clauses at the view level. It's a matter
of making what the master sends match what the client expects.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
 
 
 

View selection via TSIG

Post by Mark Andre » Wed, 19 Aug 2009 13:08:01


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:


You need to make the notify go to the correct view by using
appropriate server clauses at the view level. It's a matter
of making what the master sends match what the client expects.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Josh Paetz » Wed, 19 Aug 2009 14:32:54

On Aug 17, 2009, at 11:08 PM, Mark Andrews wrote:



Well, I found the issue. If the key is listed last in match-clients
it works.

// doesn't work
match-clients { key external; all; };

// works
match-clients { all; key external; };

Somehow I think either I've hit a bug, or I'm too tired to fully
understand how those statements are different, or even more likely,
that there's something else going on that just makes this work by
coincidence

It's very reproducible though. It also only seems to affect my
external view, all the other views, that match specific subnets, can
have the key specified anywhere in the list.

So to reiterate:

Zone transfers worked properly for all views

The slave updated properly upon receiving NOTIFY for every zone but
the external view.

Any update that resulted in a NOTIFY being set for the external view
was not picked up by the slave.

The differences between the external view and all the other views was
the external view was last, it had any in it's match-clients and
recursion turned off.

Thanks,

Josh Paetzel




_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Josh Paetz » Wed, 19 Aug 2009 14:32:54

On Aug 17, 2009, at 11:08 PM, Mark Andrews wrote:



Well, I found the issue. If the key is listed last in match-clients
it works.

// doesn't work
match-clients { key external; all; };

// works
match-clients { all; key external; };

Somehow I think either I've hit a bug, or I'm too tired to fully
understand how those statements are different, or even more likely,
that there's something else going on that just makes this work by
coincidence

It's very reproducible though. It also only seems to affect my
external view, all the other views, that match specific subnets, can
have the key specified anywhere in the list.

So to reiterate:

Zone transfers worked properly for all views

The slave updated properly upon receiving NOTIFY for every zone but
the external view.

Any update that resulted in a NOTIFY being set for the external view
was not picked up by the slave.

The differences between the external view and all the other views was
the external view was last, it had any in it's match-clients and
recursion turned off.

Thanks,

Josh Paetzel




 
 
 

View selection via TSIG

Post by Josh Paetz » Fri, 21 Aug 2009 00:12:21

On Aug 18, 2009, at 12:32 AM, Josh Paetzel wrote:


Well, still having some intermittent trouble with this. It seems that
about half the the slave missed NOTIFY for the external view. My
previous email was basically the result of it not missing NOTIFY
enough times for me to think it was fixed.

I've tried turning on NOTIFY logging, but I must be doing something
wrong there, because nothing is ever logged.

logging {
channel my_log {
file "/var/log/bind/named.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category "notify" {
my_log;
};
};

I've changed the category to default to make sure that it can log that
and it can.

I'm starting to suspect there's a bug in BIND I'm tripping here, or I
simply don't understand something fundemental. Zone transfers work
perfectly, and every view except for the external view responds
correctly to NOTIFY. It seems to be NOTIFY for the external view
which is intermittently broken. The only thing different between the
external view and the other three is it has match-clients any instead
of a subnet, it has recursion turned off, and it's the last view
listed. I can send along my configuration if that helps. Somehow I
think getting logging to work would help resolve this too.

Thanks,

Josh Paetzel




_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Josh Paetz » Fri, 21 Aug 2009 00:12:21

On Aug 18, 2009, at 12:32 AM, Josh Paetzel wrote:


Well, still having some intermittent trouble with this. It seems that
about half the the slave missed NOTIFY for the external view. My
previous email was basically the result of it not missing NOTIFY
enough times for me to think it was fixed.

I've tried turning on NOTIFY logging, but I must be doing something
wrong there, because nothing is ever logged.

logging {
channel my_log {
file "/var/log/bind/named.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category "notify" {
my_log;
};
};

I've changed the category to default to make sure that it can log that
and it can.

I'm starting to suspect there's a bug in BIND I'm tripping here, or I
simply don't understand something fundemental. Zone transfers work
perfectly, and every view except for the external view responds
correctly to NOTIFY. It seems to be NOTIFY for the external view
which is intermittently broken. The only thing different between the
external view and the other three is it has match-clients any instead
of a subnet, it has recursion turned off, and it's the last view
listed. I can send along my configuration if that helps. Somehow I
think getting logging to work would help resolve this too.

Thanks,

Josh Paetzel




 
 
 

View selection via TSIG

Post by Josh Paetz » Fri, 21 Aug 2009 01:43:38


Thanks. That worked, and I was quickly able to see what I was doing
wrong. My primary nameserver was matching an IP in one of the
views. So all the notifies were seen by slave as being in that one
view. IPs override keys.

Issue solved, thanks everyone who helped.

Thanks,

Josh Paetzel
 
 
 

View selection via TSIG

Post by Josh Paetz » Fri, 21 Aug 2009 01:43:38


Thanks. That worked, and I was quickly able to see what I was doing
wrong. My primary nameserver was matching an IP in one of the
views. So all the notifies were seen by slave as being in that one
view. IPs override keys.

Issue solved, thanks everyone who helped.

Thanks,

Josh Paetzel




_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Mark Andre » Fri, 21 Aug 2009 08:30:27


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:


Acl matches are order sensitive. The !key is in the examples to prevent
the signed message matching the view and moving onto the next one.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

View selection via TSIG

Post by Mark Andre » Fri, 21 Aug 2009 08:30:27


In message < XXXX@XXXXX.COM >, Josh Paetzel write
s:


Acl matches are order sensitive. The !key is in the examples to prevent
the signed message matching the view and moving onto the next one.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM