
平台论坛博客文库

› 论坛 › IT运维 › 服务器应用 › [設定心得] Bind9 View 底下的 master/slave 設定方案

1 2 3 45 / 5 页

[DNS] [設定心得] Bind9 View 底下的 master/slave 設定方案 [复制链接]

shawnlau

稍有积蓄

论坛徽章:: 0

41楼 [报告]

发表于 2008-09-23 19:42 |只看该作者

有得学了！感谢楼主

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

DreamJiang

稍有积蓄

论坛徽章:: 0

42楼 [报告]

发表于 2008-09-27 13:04 |只看该作者

在利用view配置时，有一个问题想请问各位老大：有两个域，一个内部域abc.sz，一个外部域abc.com.cn，在view的配置中，对于abc.com.cn这个域中的A记录，利用view来配置针对来源的IP地址不同解析后的地址不同（例如：对于192.168.10/24这个内网段的来源IP时，ftp.abc.com.cn解析成192.168.1.8，而对于外网的网段的来源IP时，ftp.abc.com.cn就解析成公网IP），这个功能的正解析己经实现。问题就在于反解析的设置，对于192.168.1.0/24这个内网段的来源IP时，内部域abc.sz与外部域abc.com.cn的反解析在zone中定义将会是一样的zone "1.168.192.in-addr.arpa"，这样就会产生错误。请大家指教。

dgvri

丰衣足食

论坛徽章:: 0

43楼 [报告]

发表于 2010-01-14 17:39 |只看该作者

搞了一星期多了,上来说说我的过程.
这时只说基于KEY的VIEW的master/slave,IP的哪种做法没搞成,也太落后了.

BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};

复制代码

这是官方的写法
首

dgvri

丰衣足食

论坛徽章:: 0

44楼 [报告]

发表于 2010-01-14 17:44 |只看该作者

我只做了基于KEY的VIEW的master/slave,IP的没搞成.

BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};

复制代码

上面是官方的一个例子,首先要注意:
1,它只有一个key.人家没说一个VIEW用一个KEY,哪就可能是这样不行,我试了,也的确不行.
2,只有第二个VIEW里才有server,不要把第一个VIEW里也加上SERVER.
好像就上面要注意的两条,我现在只是搞了两个VIEW,下一步准备测试多个VIEW的master/slave,有消息了再上来写个全的

dgvri

丰衣足食

论坛徽章:: 0

45楼 [报告]

发表于 2010-01-21 13:07 |只看该作者

bind-view 3个view,使用key进行master/slave同步的配置.

master配置:

acl ns { master-ip; slave-ip; };
acl oob { 192.168.1.0/24; };
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
zone-statistics yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
also-notify { slave-ip; };
allow-transfer { ns; 192.168.1.179; };
};
logging {
channel default_syslog { syslog daemon; severity info; };
channel default_debug { file "/var/log/named/named.run" versions 9 size 20m; severity dynamic; print-time yes; };
channel default_stderr { stderr; severity info; };
channel null { null; };
channel general_debug { file "/var/log/named/named.general" versions 9 size 20m; severity dynamic; print-time yes; };
channel database_debug { file "/var/log/named/named.database" versions 9 size 20m; severity dynamic; print-time yes; };
channel query_log { file "/var/log/named/named.query" versions 9 size 20m; severity dynamic; print-time yes; };
channel resolver_log { file "/var/log/named/named.resolver" versions 9 size 20m; severity dynamic; print-time yes; };
channel security_log { file "/var/log/named/named.security" versions 9 size 20m; severity dynamic; print-time yes; };
category default { default_syslog; default_debug; };
category queries { query_log; };
category resolver { resolver_log; };
category security { security_log; };
category unmatched { null; };
};
//Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "HkdwPa6NZfCrDmasdasfdasfvD4BXWKg==";
};
key "key2" {
algorithm hmac-md5;
secret "E+NE8ykoZSAtSlKasdfasdfasfdas5uqKnHg==";
};
//key "cnc" {
// algorithm hmac-md5;
// secret "iJaP+mZkvdqYERasdfasdfasdfasDR93QeWw==";
//};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "ct.acl";
include "cnc.acl";
include "office.acl";
view view_office {
match-clients { !key rndc-key; !key key2; office; oob; ns; localhost; };
allow-recursion { office; oob; ns; localhot; };
zone "." IN { type hint; file "cnc/named.ca";};
zone "localhost" IN {type master;file "cnc/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master;file "cnc/127.zone"; };
zone "0.in-addr.arpa" { type master; file "cnc/db.0"; };
zone "b.com" { type master; file "cnc/b.com"; };
zone "ba.cn" { type master; file "cnc/bao.cn"; };
zone "oob.b.com" { type master; file "cnc/oob.b.com"; };
zone "245.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.245"; };
zone "250.xxx.xxx..in-addr.arpa" { type master; file "reverse/xxx.xxx.250"; };
zone "138.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.138"; };
zone "1.168.192.in-addr.arpa" { type master; file "reverse/192.168.1"; };
};
view view_cnc {
match-clients { !key rndc-key; office; oob; ns; cnc; localhost; };
server slave-ip { keys { key2; }; };
recursion no;
zone "." IN { type hint; file "cnc/named.ca";};
zone "localhost" IN {type master;file "cnc/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master;file "cnc/127.zone"; };
zone "0.in-addr.arpa" { type master; file "cnc/db.0"; };
zone "b.com" { type master; file "cnc/b.com"; };
zone "bao.cn" { type master; file "cnc/bao.cn"; };
zone "245.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.245"; };
zone "250.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.250"; };
zone "138.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxxx.138"; };
};
view view_ct {
match-clients { !key key2; key rndc-key; any; };
server slave-ip { keys { rndc-key; }; };
recursion no;
zone "." IN { type hint; file "ct/named.ca";};
zone "localhost" IN {type master;file "ct/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master;file "ct/127.zone"; };
zone "0.in-addr.arpa" { type master; file "ct/db.0"; };
zone "b.com" { type master; file "ct/b.com"; };
zone "bao.cn" { type master; file "ct/bao.cn"; };
zone "245.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.245"; };
zone "250.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.250"; };
zone "138.xxx.xxx.in-addr.arpa" { type master; file "reverse/xxx.xxx.138"; };
};

复制代码

[ 本帖最后由 dgvri 于 2010-1-21 13:11 编辑 ]

dgvri

丰衣足食

论坛徽章:: 0

46楼 [报告]

发表于 2010-01-21 13:08 |只看该作者

slave-- 配置:

acl ns { master-ip; slave-ip; };
acl oob { 192.168.1.0/24; };
options {
directory "/var/named";
dump-file "/var/log/named/cache_dump.db";
zone-statistics yes;
statistics-file "/var/log/named/named_stats.txt";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
logging {
channel default_syslog { syslog daemon; severity info; };
channel default_debug { file "/var/log/named/named.run" versions 9 size 20m; severity dynamic; print-time yes; };
channel default_stderr { stderr; severity info; };
channel null { null; };
channel general_debug { file "/var/log/named/named.general" versions 9 size 20m; severity dynamic; print-time yes; };
channel database_debug { file "/var/log/named/named.database" versions 9 size 20m; severity dynamic; print-time yes; };
channel query_log { file "/var/log/named/named.query" versions 9 size 20m; severity dynamic; print-time yes; };
channel resolver_log { file "/var/log/named/named.resolver" versions 9 size 20m; severity dynamic; print-time yes; };
channel security_log { file "/var/log/named/named.security" versions 9 size 20m; severity dynamic; print-time yes; };
category default { default_syslog; default_debug; };
category queries { query_log; };
category resolver { resolver_log; };
category security { security_log; };
category unmatched { null; };
};
//Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "HkdwPa6NZfCrDmvDasdfasdfasf4BXWKg==";
};
key "key2" {
algorithm hmac-md5;
secret "E+NE8ykoZSAsfdadsfasdfastSlK5uqKnHg==";
};
//key "cnc" {
// algorithm hmac-md5;
// secret "iJaP+mZkvdqYasdfasdfasdfERDR93QeWw==";
//};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "ct.acl";
include "cnc.acl";
include "office.acl";
view view_office {
match-clients { !key rndc-key; !key key2; office; oob; ns; localhost; };
allow-recursion { office; oob; ns; localhost; };
zone "." IN { type hint; file "cnc/named.ca"; };
zone "localhost" IN {type master; file "cnc/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master; file "cnc/127.zone"; };
zone "0.in-addr.arpa" { type master; file "cnc/db.0"; };
zone "b.com" { type slave; file "cnc/b.com"; masters { master-ip; }; };
zone "bao.cn" { type slave; file "cnc/bao.cn"; masters { master-ip; }; };
zone "oob.b.com" { type slave; file "cnc/oob.b.com"; masters { master-ip; }; };
zone "xxx.xxx.219.in-addr.arpa" { type slave; file "reverse/xxx.xxx.245"; masters { master-ip; }; };
zone "xxx.xxx.124.in-addr.arpa" { type slave; file "reverse/xxx.xxx.250"; masters { master-ip; }; };
zone "xxx.xxx.221.in-addr.arpa" { type slave; file "reverse/xxx.xxx.138"; masters { master-ip; }; };
zone "1.168.192.in-addr.arpa" { type slave; file "reverse/192.168.1"; masters { master-ip; }; };
};
view view_cnc {
match-clients { !key rndc-key; office; oob; ns; cnc; localhost; };
server master-ip { keys { key2; }; };
recursion no;
zone "." IN { type hint; file "cnc/named.ca"; };
zone "localhost" IN {type master; file "cnc/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master; file "cnc/127.zone"; };
zone "0.in-addr.arpa" { type master; file "cnc/db.0"; };
zone "b.com" { type slave; file "cnc/b.com"; masters { master-ip; }; };
zone "bao.cn" { type slave; file "cnc/bao.cn"; masters { master-ip; }; };
zone "xxx.xxx.219.in-addr.arpa" { type slave; file "reverse/xxx.xxx.245"; masters { master-ip; }; };
zone "xxx.xxx.124.in-addr.arpa" { type slave; file "reverse/xxx.xxx.250"; masters { master-ip; }; };
zone "xxx.xxx.221.in-addr.arpa" { type slave; file "reverse/xxx.xxx.138"; masters { master-ip; }; };
};
view view_ct {
match-clients { !key key2; key rndc-key; ct; any; };
server master-ip { keys { rndc-key; }; };
recursion no;
zone "." IN { type hint; file "ct/named.ca";};
zone "localhost" IN {type master;file "ct/localhost.zone"; };
zone "127.in-addr.arpa" IN {type master;file "ct/127.zone"; };
zone "0.in-addr.arpa" { type master; file "ct/db.0"; };
zone "b.com" { type slave; file "ct/b.com"; masters { master-ip; }; };
zone "bao.cn" { type slave; file "ct/bao.cn"; masters { master-ip; }; };
zone "xxx.xxx.219.in-addr.arpa" { type slave; file "reverse/xxx.xxx.245"; masters { master-ip; }; };
zone "xxx.xxx.124.in-addr.arpa" { type slave; file "reverse/xxx.xxx.250"; masters { master-ip; }; };
zone "xxx.xxx.221.in-addr.arpa" { type slave; file "reverse/xxx.xxx.138"; masters { master-ip; }; };
};

复制代码

注：

master-ip,slave-ip都是实际的IP，我这里给去掉了。

office-view只匹配公司IP，开放递归功能，可以做为cache-dns使用，这个VIEW不使用KEY，我想默认应该是使用IP同步的吧，这一点大家可以讨论下。

cnc-view只匹配CNC，NS等这些IP，！掉另一个key，这样它应该会用另一个key来同步。

ct-view同步，只是acl设为any，这样匹配不上前两个的IP都会用这个。

测试：
把master上的zone文件中的serial号改大，rcdc reload后slave上的会马上同步。

[ 本帖最后由 dgvri 于 2010-1-21 13:10 编辑 ]

1 2 3 45 / 5 页

返回列表

Chinaunix › 论坛 › IT运维 › 服务器应用 › [設定心得] Bind9 View 底下的 master/slave 設定方案

[DNS] [設定心得] Bind9 View 底下的 master/slave 設定方案 [复制链接]

浏览过的版块