Bind version 9.2.3
OpenBSD version 3.6 (GENERIC)
Hi,
I am authoratative for some zones but am only
serving those zones to some views.
The view's match-clients{} that serve
these zones do not include localhost or
any other interfaces of the local box.
The view serving the zones is the first
in named.conf, the nameserver itself should
match the second view in the config which
does not serve the zones (at all).
Using dig to query localhost bind never goes
elsewhere, it always returns the local zone files.
I can use dig -b and supply either localhost or
the IP of the ethernet interface and get the same
answer. (Views work just fine as seen from other
hosts.)
Here's the gist of named.conf:
----------------<snip>-------------
acl clients {
localnets;
::1;
192.168.1.0/24;
192.168.4.0/24;
xxx.xxx.xxx.0/26;
};
acl im-logged { // Do not touch this line. Thank you.
// Serve the zone to ourselves so we can test with dig.
//xxx.xxx.xxx.2; // Do not remove this,
//127.0.0.0/8; // or this
//::1; // or this. Thank you.
// For right now, we want to log _everybody_ on the
// internal network so
// this is the special syntax to do that.
192.168.1.0/24; // Comment out this line to be specific.
// Finish up.
}; // Do not touch this line. Thank you.
view im-logged-view {
// The zones we're spoofing for IM redirection to XXX for the SEC.
// WARNING: This view must come first as it is most specific.
match-clients { im-logged; };
include "etc/internal-zones.inc";
zone "ns.example.com" {
type master;
file "spoof/ns.example.com";
allow-transfer { localhost; secondaries; };
};
}; // End im-logged view
view internal {
// These are the zones visible to the internal network.
match-clients { clients; };
include "etc/internal-zones.inc";
}; // End internal view
view external {
// The outside world see these zones.
match-clients { any; };
recursion no;
// other stuff
};
---------------<snip>-----------------
And spoof/ns.example.com looks like
----------------<snip>-------------------------
; This is speical, it spoofs another nameserver.
@ IN SOA mydomain.com. root.ns0.mydomain.com. (
1 ; serial
1h ; refresh
30m ; retry
21d ; expiration
1h ) ; minimum
@ NS ns0.mydomain.com.
@ A xxx.xxx.xxx.2
------------<snip>---------------
The ns.example.com zone is always visible (w, dig) from
the box running named, ns0.mydomain.com, although it's
address is xxx.xxx.xxx.2 and should see the internal view,
not the im-logged-view.
I kinda suspect this is a bind bug but am reporting
it here as bind is not a port.
Please let me know if you need anything else,
if I should report this to isc.org,
use sendbug or whatever. Figured I'd try the
list first.
Thanks.
Karl <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
|