You have to use separate IPs for the separate views on the master and the slave.
Here we just put alias IPs on the primary interfaces and use those for the second view. From: bind-users <[email protected]> On Behalf Of Roberto Carna Sent: Wednesday, July 03, 2019 3:21 PM To: ML BIND Users <[email protected]> Subject: Bind 9 with Views: zone transfer refused from master to slave Hi people, I have a master/slave Bind 9.10.3 servers configured with views and TSIG keys on a Debian 9 host. But the transfer from master to slave is refused in the slave side, there is no a descriptive error. In both Views I have delegated the same two zones: black.com<http://black.com> and white.com<http://white.com>, with different records according to the view. Please if I send my configuration, can you help me to detect the fail in the zone transfer from master to slave??? Thanks a lot in advance. MASTER named.conf: key "rndc-key" { algorithm hmac-md5; secret "+PGWO1r5rrT8hcA47Anu0w=="; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; named.conf.options: options { directory "/var/cache/bind"; also-notify { 10.0.0.2; }; dnssec-validation no; dnssec-enable yes; auth-nxdomain no; allow-query { any; }; notify explicit; recursion no; version "none"; }; named.conf.local: key one { algorithm HMAC-MD5; secret "uohej/pa1oLBK4Cfhi3zAA=="; }; key two { algorithm HMAC-MD5; secret "HcKSpnKhqg/+KFvOg2uTag=="; }; key three { algorithm HMAC-MD5; secret "1JikGx1kdjq/cTCsi36/JQ=="; }; acl one { !key two; !key three; key one; 10.10.0.0/24<http://10.10.0.0/24>; }; acl two { !key one; !key three; key two; 10.10.1.0/24<http://10.10.1.0/24>; }; acl three { !key one; !key two; key three; 10.10.2.0/24<http://10.10.2.0/24>; }; view "one" { match-clients { one; }; server 10.0.0.2 { keys one; }; recursion yes; allow-transfer { key one; }; zone "black.com<http://black.com>." { type master; file "/etc/bind/zones/black.com.one.db"; also-notify { 10.0.0.2 key one; }; }; zone "white.com<http://white.com>" { type master; file "/etc/bind/zones/white.com.one.db"; also-notify { 10.0.0.2 key one; }; }; }; view "two" { match-clients { two; }; server 10.0.0.2 { keys two; }; recursion yes; allow-transfer { key two; }; zone "black.com<http://black.com>." { type master; file "/etc/bind/zones/black.com.two.db"; also-notify { 10.0.0.2 key one; }; }; zone "white.com<http://white.com>" { type master; file "/etc/bind/zones/white.com.two.db"; also-notify { 10.0.0.2 key one; }; }; }; SLAVE named.conf: include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; named.conf.options: options { directory "/var/cache/bind"; allow-transfer {"none";}; dnssec-validation no; dnssec-enable yes; auth-nxdomain no; allow-query { any; }; notify explicit; recursion no; version "none"; }; named.conf.local: key one { algorithm HMAC-MD5; secret "uohej/pa1oLBK4Cfhi3zAA=="; }; key two { algorithm HMAC-MD5; secret "HcKSpnKhqg/+KFvOg2uTag=="; }; key three { algorithm HMAC-MD5; secret "1JikGx1kdjq/cTCsi36/JQ=="; }; acl one { !key two; !key three; key one; 10.10.0.0/24<http://10.10.0.0/24>; }; acl two { !key one; !key three; key two; 10.10.1.0/24<http://10.10.1.0/24>; }; acl three { !key one; !key two; key three; 10.10.2.0/24<http://10.10.2.0/24>; }; view "one" { match-clients { one; }; server 10.0.0.1 { keys one; }; recursion yes; zone "black.com<http://black.com>" { type slave; masters { 10.0.0.1 key one; }; file "/etc/bind/zones/black.com.one.db"; }; zone "white.com<http://white.com>" { type slave; masters { 10.0.0.1 key one; }; file "/etc/bind/zones/white.com.one.db"; }; }; view "two" { match-clients { two; }; server 10.0.0.1 { keys two; }; recursion yes; zone "black.com<http://black.com>" { type slave; masters { 10.0.0.1 key one; }; file "/etc/bind/zones/black.com.two.db"; }; zone "white.com<http://white.com>" { type slave; masters { 10.0.0.1 key one; }; file "/etc/bind/zones/white.com.two.db"; }; };
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
