Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

DNS DHCP IPAM

Reply
Highlighted
Accepted Solution

DNS views and zone transfers

VObelic
Techie
Posts: 3
5899     0

Hello,

 

How would it be possible to achieve zone transfers between a master and a slave for an equally named zone in two two views?

Bind documentation suggests to use also-notify with key:

https://kb.isc.org/article/AA-00851/0

EXAMPLE 3 - Adding a second server / A single server, one common (but different) zone

 

Basically i don't see how to add "also-notify" stanza beside enabling "add allowed ip addresses to also-notify", let alone add a key.

Currently using NIOS 7.3.10.

Re: DNS views and zone transfers

Expert
Posts: 81
5900     0

Hello VObelic.

 

Could you please provide more information regarding your scenario?

 

You can use TSIG keys or configure loopback interfaces and then use its IP address to match the correct view between servers. I had a similar scenario with a customer and the view parametrization (using loopback interfaces and configuring match client/destination) was enough to solve my problem. Don't remember using "also-notify"/add allowed IP addresses to "also-notify".. TSIG keys must work well too (and are simpler to implement).

 

You are using two servers (one master, the other a slave) with two views each... am I right?

Regards,
Paulo

 

Re: DNS views and zone transfers

VObelic
Techie
Posts: 3
5900     0

Actually I've written a support case regarding this issue.

 

The findings so far, infoblox cannot sent also-notify with TSIG key defined (missing in NIOS, but part of bind 9.9.x for a long time) - effectively notify mechanism cannot work for slave servers that contain same views.

 

The other way is to lower the zone refresh interval and wait for the slave servers to periodically request AXFR from master. This isn't possible with infoblox as well since DENY TSIG rule cannot be set in the view match clients ACL - also something bind 9.9.x fully supports and is in my perspective a bug in NIOS.

 

I'm trying to prioritise this issue so it isn't only seen as Request for feature enhancement but have little hope this will be solved anytime soon...

Re: DNS views and zone transfers

Jie
Techie
Posts: 3
5900     0

Any update on this issue?

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You