bind多个view的主备同步

上一篇blog简单写了一下使用nsupdate动态更新DNS记录。今天再写一下在多个view的时候如何设置主备的自动同步。
多个view的主备同步主要是是主备之间每个view都使用共享key进行消息的签名。master的配置和之前的稍微有点小的改动


include "/opt/bind/etc/rndc.key";
include "/opt/bind/etc/views.key";
//
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};
//
acl test1 {
    10.201.0.0/16;
};
acl test2 {
    192.0.0.0/8;
};
acl slavedns {  
        10.144.149.61;
        127.0.0.1;
};
options {
     listen-on port 53 { any; };
     listen-on-v6  { none; };
     directory      "/opt/bind/etc/";
     dump-file      "/opt/bind/var/named/data/cache_dump.db";
     statistics-file "/opt/bind/var/named/data/named_stats.txt";
     memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
     zone-statistics yes;
     allow-query     { any; };
# recursion config
     recursion yes;
     max-ncache-ttl 60;
     recursive-clients 2000;
# dnssec config
     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-lookaside auto;
# rrt config
     rate-limit {
        responses-per-second 20;
        qps-scale  1000;
        window 4;
        slip 2;
        ipv4-prefix-length 32;
    };
# rpz config
    response-policy {
        zone "rpz.zone"  policy given;
   };
# log query
      querylog yes;
#define version
      version "GNUer's dns 2.0";
## transfer config
      notify explicit;
      tcp-clients 2000;
      transfers-out 100;
      allow-transfer {  slavedns; 127.0.0.1;};
      also-notify { 10.144.149.61; };
     /* Path to ISC DLV key */
     #bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};

logging {
  channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m; severity dynamic; print-time yes;};
  channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m; severity dynamic; print-time yes;};
  channel default_stderr { stderr; severity info; };
  channel null { null; };
  channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m; severity dynamic; print-time yes;};
  channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m; severity dynamic; print-time yes;};
  channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m; severity dynamic; print-time yes;print-severity yes; print-category yes;};
  channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m; severity dynamic; print-time yes;};
  channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m; severity dynamic; print-time yes;};
  channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m; severity dynamic; print-time yes;};
  channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m; severity dynamic; print-time yes;};
  channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m; severity dynamic; print-time yes;};
  category default {null; };
  category queries { query_log; };
  category resolver { resolver_log; };
  category security { security_log; };
  category notify { notify_log; };
  category xfer-in { notify_log; };
  category xfer-out { notify_log; };
  category update { notify_log; };
  category unmatched {default_syslog; };
  category rate-limit {rrt_log;};
  category rpz {rpz_log;};
};
view "test1" {
    recursion yes;
    allow-query { any; };
    match-clients {test1; key test1;};
    allow-update { key test1; };
    server 10.144.149.61 {keys  test1;};
  //  also-notify { 10.144.149.61; };
    zone "test.org" {
        type master;
        file "master/test.org.view1";
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};

view "test2" {
    recursion yes;
    allow-query { any; };
    server 10.144.149.61 {keys  test2;};
    match-clients {test2; key test2;};
    allow-update { key test2; };
   // also-notify { 10.144.149.61; };
    zone "test.org" {
        type master;
        file "master/test.org.view2";
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};
view "default" {
    recursion yes;
    allow-query { any; };
    server 10.144.149.61 {keys  default;};
    match-clients {any;key default; };
    allow-update { key default; };
   // also-notify { 10.144.149.61; };
    zone "test.org" {
        type master;
        file "master/test.org.default";
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};

master中的注意事项是:
1. also-notify 可以不用每个view都写一遍,在options里把slave都写全也行(也得跟进实际的安全需求来)
2. 每个view内用allow-update设置只允许响应的key进行更新。
3. 需要使用server来指定和对端机器通信的共享密钥。

slave的配置


include "/opt/bind/etc/rndc.key";
include "/opt/bind/etc/views.key";
//
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};
//
acl test1 {
    10.161.65.8;
};
acl test2 {
    192.0.0.0/8;
};

options {
     listen-on port 53 { any; };
     listen-on-v6  { none; };
     directory      "/opt/bind/etc/";
     dump-file      "/opt/bind/var/named/data/cache_dump.db";
     statistics-file "/opt/bind/var/named/data/named_stats.txt";
     memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
     masterfile-format text;
     zone-statistics yes;
     allow-query     { any; };
# recursion config
     recursion yes;
     max-ncache-ttl 60;
     recursive-clients 2000;
# dnssec config
     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-lookaside auto;
# rrt config
     rate-limit {
        responses-per-second 20;
        qps-scale  1000;
        window 4;
        slip 2;
        ipv4-prefix-length 32;
    };
# rpz config
    response-policy {
        zone "rpz.zone"  policy given;
   };
# log query
      querylog yes;
#define version
      version "GNUer's dns 2.0";
## transfer config
      notify explicit;
      tcp-clients 2000;
      transfers-out 100;

     /* Path to ISC DLV key */
     #bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};

logging {
  channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m; severity dynamic; print-time yes;};
  channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m; severity dynamic; print-time yes;};
  channel default_stderr { stderr; severity info; };
  channel null { null; };
  channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m; severity dynamic; print-time yes;};
  channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m; severity dynamic; print-time yes;};
  channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m; severity dynamic; print-time yes;print-severity yes; print-category yes;};
  channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m; severity dynamic; print-time yes;};
  channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m; severity dynamic; print-time yes;};
  channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m; severity dynamic; print-time yes;};
  channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m; severity dynamic; print-time yes;};
  channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m; severity dynamic; print-time yes;};
  category default {null; };
  category queries { query_log; };
  category resolver { resolver_log; };
  category security { security_log; };
  category notify { notify_log; };
  category xfer-in { notify_log; };
  category xfer-out { notify_log; };
  category update { notify_log; };
  category unmatched {default_syslog; };
  category rate-limit {rrt_log;};
  category rpz {rpz_log;};
};
view "test1" {
    recursion yes;
    server 10.161.64.97 {keys test1; };
    allow-query { any; };
    match-clients {test1; key test1;};
    allow-update { key test1; };
    zone "test.org" {
        type slave;
        file "master/test.org.view1";
    masters { 10.161.64.97; } ;
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};

view "test2" {
    recursion yes;
    allow-query { any; };
    match-clients {test2; key test2;};
    server 10.161.64.97 {keys test2; };
    allow-update { key test2; };
    zone "test.org" {
        type slave;
    file "master/test.org.view2";
    masters { 10.161.64.97; } ;
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};
view "default" {
    recursion yes;
    allow-query { any; };
    server 10.161.64.97 {keys default; };
    match-clients {any;key default; };
    allow-update { key default; };
    zone "test.org" {
        type slave;
        file "master/test.org.default";
    masters { 10.161.64.97; } ;
    };      
    zone "rpz.zone" {
       type master;
       file "master/rpz.zone";
       allow-update {none;};
   };
   zone "."{
     type hint;
     file "named.root";
   };
};

slave的配置注意项也是每个view要使用server定义master通信时使用的key,然后限制特定的key才能更新。另外需要注意的是slave和master的IP不要在任何的acl里。

此条目发表在dns分类目录。将固定链接加入收藏夹。

发表评论