Home / server / Questions / 866288
In Process
Jacob Evans
Asked: 2017-08-02 06:02:23 +0800 CST

How can I do a zone transfer with dig when using bind views

  • 772

I have a bind cluster with private/public records stored in (2) views and configured with TSIG. Standard slave operation works but I'd like to use dig to transfer the zones for troubleshooting/testing.

Typically I'd use dig example.com @ns1.example.com -y tsig-key:SECRETCODE however this is denied as the key is only assigned to the view public.

Reproduce: Attempt a dig axfr from a client in the internal view.

Transfer Fails:

dig AXFR example.com -y external:xxxxxxxx

Transfer Succeeds

dig AXFR example.com -y internal:xxxxxxxx
domain-name-system

1 Answers

  1. Simply set up an additional key for the internal view and configure bind to allow the key to act as a selector for a specific view: 

    key "external" {
  algorithm hmac-md5;
  secret "xxxxxxxx";
};
key "internal" {
  algorithm hmac-md5;
  secret "yyyyyyyy";
};
view "internal" {
  match-clients { key internal; 10.0.1/24; };
  server 10.0.1.1 {
    /* Deliver notify messages to external view. */
    keys { external; };
  };
  zone "example.com" {
    type master;
    file "internal/example.db";
    ...
  };
};
view "external" {
  match-clients { key external; any; };
  zone "example.com" {
    type master;
    file "external/example.db";
    ...
  };
};
    • 2