01-04-2016 02:32 AM
An external server has a zone called "example.com". Our internal DNS server uses a split-view setup. Both views contain the "example.com" zone. The internal server is slave to that zone and the external server is the master. The external server has only one DNS view. When updating the example.com zone on the external server, we need both views to be updated immeditately. We have been unable to get this working.
To get this working we need to receive 2 notify messages from the master. Either with 2 different TSIG keys, or one with a TSIG key and one without a TSIG key. We assume that we will be able to direct the Notify message to the right view by using the TSIG keys in the match-clients list on a view level.
Does anyone have experience with this setup. Is there a way to have a DNS server send 2 notify messages to the same IP with different TSIG keys? Or does anyone have another solution for this?
01-07-2016 01:36 PM
I think part of what needs to be understood is where Infoblox is hosting things and/or how we fit in here into this design as to how many Grids, what is running what software where, who is the master for what zones and why the external zone is sharing memory to be hosted on the internal zone, etc.
Of course the obligatory answer of using Grid Replication will take care of immediate changes vs. having to use Zone transfers - and thus give you the solution you are looking for. However without some further details I'm not sure what the right way to take this would be.
01-07-2016 05:06 PM
Thank you for your reply.
The internal servers are running Infoblox and are part of a grid. The external server is running bind 9.
The external server is the master of the zone.
When I mention internal and external, I mean to say that the external servers are managed by another company.
As to why: the customer is a mobile servic provider and the infoblox dns servers are used in a grx environment, other service providers can query the dns servers for resolving the customers APN names. One of the zones that other service providers can query is managed by the other company and so their BIND DNS server is the Master for this zone.
In my initial post I tried to describe it without going into details since I assume that this is not the first time that someone tries to build a similar setup, with or without using Infoblox. But unfortunately I have been unable to find a solution.
01-08-2016 08:03 AM
So in this case you're saying there's 2 versions of a domain in which there are 2 masters and you want Infoblox to distinguish between which notify is coming from which system for which view of things - correct?
Obviously if things were "in Grid" this would not be as much the concern because it would use Grid replication on things here but obiviously one of those domains is not even under your control.
I don't think in this case there is a simple solution because as you'll see in another post a but further down (topic of Split Horizon support) someone has 4 views of a domain and thus 4 different masters. Given that we can't tell which notify is for which view, your situation is just 2 views of the same thing if I"m understanding things right - but the same issue still exists here.
Remember though that the TSIG key is used for the Zone Transfer so even if the notifies aren't received or acted upon, you at least know that it will pull the zone properly at whatever the interval is set for that Zone (default is 15 minutes) to look for updates.
01-12-2016 05:49 AM
Well not exactly. There is only one Master which is the DNs server outside of the Grid.
What I am saying is that the Infoblox DNS servers need to be updated immediately when the Master (outside of the Grid) updates the zone. Both views on the Infoblox servers need to immediately get the update, but the BIND DNS Server is not aware that there are multiple views on the Infoblox servers and has only one view.
I hope that you or someone can provide a way to do it. Maybe via one of the following solutions:
- NAT translations in the path between the Infoblox and BIND server
- Internally synchronizing the zone when an update is recieved from the Bind server. Maybe by using the "Lead secondary" option
- Defining a second IP on the DNS servers? Not sure if this is possible
01-13-2016 05:22 AM - edited 01-13-2016 05:26 AM
** I'm not the definite source of information in this case.
One of my customer have similar needs.
There was issue with zone transfers and mutiple views and TSIG matching.This was corrected and patch was released. If you need please contact our Support and ask for NIOS-55902 fix/patch. I saw one for 6.12.11 and 7.2.4
DNS NOTIFY for each views/zones separated by TSIG is not there yet. Please contact support and open your own case to follow up on this.
08-25-2017 02:35 PM - edited 08-25-2017 02:36 PM
I was unable to get it to work with one of the methods listed in this topic.
Eventually we forced the external party to lower the refresh value (in soa) for the zone. Which results in the secondaries to frequently poll the primary for updates.
This resolved our issue.
But lower refresh values are not always recommended.
hope it helps