bind9在多view情况下通过TSIG key实现主dns和多个辅DNS的同步传输
Master dns 192.168.8.1
slave dns 192.168.8.2,192.168.8.3,192.168.8.4
//-------------------------------------------------------------
提示:TSIG key的使用详见“bind9在view情况下通过TSIG key实现nsupdate功能”
Master dns named.conf配置如下:
key "rndc-key" { algorithm hmac-md5; secret "PpRyh6fU1ejnutT+jafXag=="; };
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
acl "trusted" { 192.168.0.0/16; localhost; };
acl "xfer" { 192.168.8.1; 192.168.8.2; 192.168.8.3; 192.168.8.4; }; //主辅dns-ip地址
acl "nic" { 172.16.0.0/27; }; //用于管理dns的地址
logging { ... };
options { ...
allow-transfer { xfer; nic; }; //全局允许读取zone数据的ip
};
include "isp/cernet.conf";
include "isp/chinanet.conf";
key "cernet-key" { algorithm hmac-md5; secret "ALiFYsMuRdD03+V5qiNxnA=="; };
key "chinanet-key" { algorithm hmac-md5; secret "dMZeJ1vhhjjoig+sFYjZvg=="; };
key "defaultisp-key" { algorithm hmac-md5; secret "dkMHny2EEQSmvfiGKeL9YA=="; };
view "internal-in" in { // 定义一个名为 internal-in 的 view
match-clients { key rndc-key; !xfer; trusted; }; // 范围是匹配那些用 rndc-key 加密的,以及 trusted, 另外:主辅dns-ip包含在trusted中,"!xfer"排除主dns-ip是为了主dns在执行nsupdate时使用key匹配所有的view; 排除辅dns-ip是为了辅dns能够在同步zone时通过key匹配所有的view
allow-transfer { key rndc-key; nic; }; // 只允许用 rndc-key 加密过的 zone transfer 请求
server 192.168.8.2 { keys rndc-key; }; // 向从服务器发送消息时,用 rndc-key 加密
server 192.168.8.3 { keys rndc-key; }; //配置多个slave的ip
server 192.168.8.4 { keys rndc-key; };
recursion yes; // 允许处理来自 internal-in 的主机的递归请求
additional-from-auth yes;
additional-from-cache yes;
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "local/localhost.rev"; };
zone "localhost" { type master; file "local/localhost.zone"; };
zone "8.168.192.in-addr.arpa" { type master; file "master/8.168.192.in-addr.arpa.zone"; };
zone "test.com" { type master; file "master/test.com.in.zone"; allow-update { key rndc-key; }; };
};
view "external-cernet" in {
match-clients { key cernet-key; cernet; };
allow-transfer { key cernet-key; };
server 192.168.8.2 { keys cernet-key; };
server 192.168.8.3 { keys cernet-key; };
server 192.168.8.4 { keys cernet-key; };
recursion no; // 禁止所有人向从服务器请求 zone transfer
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.cernet.zone"; allow-update { key cernet-key; }; };
};
view "external-chinanet" in {
match-clients { key chinanet-key; chinanet; };
allow-transfer { key chinanet-key; };
server 192.168.8.2 { keys chinanet-key; };
server 192.168.8.3 { keys chinanet-key; };
server 192.168.8.4 { keys chinanet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.chinanet.zone"; allow-update { key chinanet-key; }; };
};
view "external" in {
match-clients { key defaultisp-key; any; };
allow-transfer { key defaultisp-key; };
server 192.168.8.2 { keys defaultisp-key; };
server 192.168.8.3 { keys defaultisp-key; };
server 192.168.8.4 { keys defaultisp-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.out.zone"; allow-update { key defaultisp-key; }; };
};
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
acl "trusted" { 192.168.0.0/16; localhost; };
acl "xfer" { 192.168.8.1; 192.168.8.2; 192.168.8.3; 192.168.8.4; }; //主辅dns-ip地址
acl "nic" { 172.16.0.0/27; }; //用于管理dns的地址
logging { ... };
options { ...
allow-transfer { xfer; nic; }; //全局允许读取zone数据的ip
};
include "isp/cernet.conf";
include "isp/chinanet.conf";
key "cernet-key" { algorithm hmac-md5; secret "ALiFYsMuRdD03+V5qiNxnA=="; };
key "chinanet-key" { algorithm hmac-md5; secret "dMZeJ1vhhjjoig+sFYjZvg=="; };
key "defaultisp-key" { algorithm hmac-md5; secret "dkMHny2EEQSmvfiGKeL9YA=="; };
view "internal-in" in { // 定义一个名为 internal-in 的 view
match-clients { key rndc-key; !xfer; trusted; }; // 范围是匹配那些用 rndc-key 加密的,以及 trusted, 另外:主辅dns-ip包含在trusted中,"!xfer"排除主dns-ip是为了主dns在执行nsupdate时使用key匹配所有的view; 排除辅dns-ip是为了辅dns能够在同步zone时通过key匹配所有的view
allow-transfer { key rndc-key; nic; }; // 只允许用 rndc-key 加密过的 zone transfer 请求
server 192.168.8.2 { keys rndc-key; }; // 向从服务器发送消息时,用 rndc-key 加密
server 192.168.8.3 { keys rndc-key; }; //配置多个slave的ip
server 192.168.8.4 { keys rndc-key; };
recursion yes; // 允许处理来自 internal-in 的主机的递归请求
additional-from-auth yes;
additional-from-cache yes;
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "local/localhost.rev"; };
zone "localhost" { type master; file "local/localhost.zone"; };
zone "8.168.192.in-addr.arpa" { type master; file "master/8.168.192.in-addr.arpa.zone"; };
zone "test.com" { type master; file "master/test.com.in.zone"; allow-update { key rndc-key; }; };
};
view "external-cernet" in {
match-clients { key cernet-key; cernet; };
allow-transfer { key cernet-key; };
server 192.168.8.2 { keys cernet-key; };
server 192.168.8.3 { keys cernet-key; };
server 192.168.8.4 { keys cernet-key; };
recursion no; // 禁止所有人向从服务器请求 zone transfer
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.cernet.zone"; allow-update { key cernet-key; }; };
};
view "external-chinanet" in {
match-clients { key chinanet-key; chinanet; };
allow-transfer { key chinanet-key; };
server 192.168.8.2 { keys chinanet-key; };
server 192.168.8.3 { keys chinanet-key; };
server 192.168.8.4 { keys chinanet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.chinanet.zone"; allow-update { key chinanet-key; }; };
};
view "external" in {
match-clients { key defaultisp-key; any; };
allow-transfer { key defaultisp-key; };
server 192.168.8.2 { keys defaultisp-key; };
server 192.168.8.3 { keys defaultisp-key; };
server 192.168.8.4 { keys defaultisp-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type master; file "master/test.com.out.zone"; allow-update { key defaultisp-key; }; };
};
slave dns named.conf配置如下(3个slave配置基本相同):
key "rndc-key" { algorithm hmac-md5; secret "PpRyh6fU1ejnutT+jafXag=="; };
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
acl "trusted" { 192.168.0.0/16; localhost; };
logging { ... };
options { ...
allow-transfer { none; };
};
include "isp/cernet.conf";
include "isp/chinanet.conf";
key "cernet-key" { algorithm hmac-md5; secret "ALiFYsMuRdD03+V5qiNxnA=="; };
key "chinanet-key" { algorithm hmac-md5; secret "dMZeJ1vhhjjoig+sFYjZvg=="; };
key "defaultisp-key" { algorithm hmac-md5; secret "dkMHny2EEQSmvfiGKeL9YA=="; };
view "internal-in" in {
match-clients { key rndc-key; !192.168.8.1; trusted; }; //主dns-ip包含在trusted中,排除192.168.8.1是为了当主dns执行nsupdate通知所有主辅dns进行更新时,能够通过key匹配到正确view。nsupdate详见文章“bind9在view情况下通过TSIG key实现nsupdate功能”
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
acl "trusted" { 192.168.0.0/16; localhost; };
logging { ... };
options { ...
allow-transfer { none; };
};
include "isp/cernet.conf";
include "isp/chinanet.conf";
key "cernet-key" { algorithm hmac-md5; secret "ALiFYsMuRdD03+V5qiNxnA=="; };
key "chinanet-key" { algorithm hmac-md5; secret "dMZeJ1vhhjjoig+sFYjZvg=="; };
key "defaultisp-key" { algorithm hmac-md5; secret "dkMHny2EEQSmvfiGKeL9YA=="; };
view "internal-in" in {
match-clients { key rndc-key; !192.168.8.1; trusted; }; //主dns-ip包含在trusted中,排除192.168.8.1是为了当主dns执行nsupdate通知所有主辅dns进行更新时,能够通过key匹配到正确view。nsupdate详见文章“bind9在view情况下通过TSIG key实现nsupdate功能”
allow-transfer { none; }; // 禁止所有人向从服务器请求 zone transfer
server 192.168.8.1 { keys rndc-key; }; // 向主服务器发送消息时,用 rndc-key 加密
server 192.168.8.1 { keys rndc-key; }; // 向主服务器发送消息时,用 rndc-key 加密
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "local/localhost.rev"; };
zone "localhost" { type master; file "local/localhost.zone"; };
zone "test.com" { type slave; file "slaves/test.com.in.zone"; masters { 192.168.8.1; }; };
};
view "external-cernet" in {
match-clients { key cernet-key; cernet; };
server 192.168.8.1 { keys cernet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.cernet.zone"; masters { 192.168.8.1; }; };
};
view "external-chinanet" in {
match-clients { key chinanet-key; chinanet; };
server 192.168.8.1 { keys chinanet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.chinanet.zone"; masters { 192.168.8.1; }; };
};
view "external" in {
match-clients { key defaultisp-key; any; };
server 192.168.8.1 { keys defaultisp-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.out.zone"; masters { 192.168.8.1; }; };
};
additional-from-auth yes;
additional-from-cache yes;
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "local/localhost.rev"; };
zone "localhost" { type master; file "local/localhost.zone"; };
zone "test.com" { type slave; file "slaves/test.com.in.zone"; masters { 192.168.8.1; }; };
};
view "external-cernet" in {
match-clients { key cernet-key; cernet; };
server 192.168.8.1 { keys cernet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.cernet.zone"; masters { 192.168.8.1; }; };
};
view "external-chinanet" in {
match-clients { key chinanet-key; chinanet; };
server 192.168.8.1 { keys chinanet-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.chinanet.zone"; masters { 192.168.8.1; }; };
};
view "external" in {
match-clients { key defaultisp-key; any; };
server 192.168.8.1 { keys defaultisp-key; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "test.com" { type slave; file "slaves/test.com.out.zone"; masters { 192.168.8.1; }; };
};
同步过程分析:(引用:ChinaUnix )
View Code
1)你修改并 reload 了 telecom view 的 bob.com. 这个 zone 。注意!正确的命令是 rndc reload bob.com. IN telecom ,记得加上后面的 "IN telecom‘ 。
2)主服务器将向从服务器发送一个 notify 消息,这个消息是用 telecomkey 标识过的。
(主→从 :notify)
3)当从服务器收到这个 notify 消息时,会根据消息尾部的 TSIG 部分找出 key 的名称 :telecomkey 。
4)从服务器对比每个 view 的 match-clients ,发现匹配 telcom 这个 view 的设定
5)从服务器返回一个 notify response 消息,根据 telecom view 的 server 语句,用 telecomkey 加密并发给主服务器。
(从→主 :notify response)
6)接着从服务器就会启动 soa query,同样该 query 也是用 telecomkey 加密的。(从→主 :soa query)
7)主服务器收到这个 soa query 后,发现是用 telecom key加密的 ,返回 telecom 的 bob.com. SOA 记录,并用 telecomkey 进行表示
(主→从 :soa query response)
8)从服务器在收到来自主服务器的 response 后,和它自己 telecom view 的 bob.com zone 的 serial 比较,发现的确是增大了
8)从服务器向主服务器发送 tcp 消息,请求 zone transfer (从→主 :zone transfer 请求)
9)主服务器检查 telecom view 的 allow-transfer ,发现该请求是以 telecomkey 加密的,则允许进行 zone transfer
10)主服务器返回 telecom view 的 bob.com 这个 zone 的数据(来自文件 bob.com.telecom)
(主→从 :zone transfer 开始)
11)zone transfer 完成,主从服务器关闭 TCP 连接 (zone transfer 完成)
2)主服务器将向从服务器发送一个 notify 消息,这个消息是用 telecomkey 标识过的。
(主→从 :notify)
3)当从服务器收到这个 notify 消息时,会根据消息尾部的 TSIG 部分找出 key 的名称 :telecomkey 。
4)从服务器对比每个 view 的 match-clients ,发现匹配 telcom 这个 view 的设定
5)从服务器返回一个 notify response 消息,根据 telecom view 的 server 语句,用 telecomkey 加密并发给主服务器。
(从→主 :notify response)
6)接着从服务器就会启动 soa query,同样该 query 也是用 telecomkey 加密的。(从→主 :soa query)
7)主服务器收到这个 soa query 后,发现是用 telecom key加密的 ,返回 telecom 的 bob.com. SOA 记录,并用 telecomkey 进行表示
(主→从 :soa query response)
8)从服务器在收到来自主服务器的 response 后,和它自己 telecom view 的 bob.com zone 的 serial 比较,发现的确是增大了
8)从服务器向主服务器发送 tcp 消息,请求 zone transfer (从→主 :zone transfer 请求)
9)主服务器检查 telecom view 的 allow-transfer ,发现该请求是以 telecomkey 加密的,则允许进行 zone transfer
10)主服务器返回 telecom view 的 bob.com 这个 zone 的数据(来自文件 bob.com.telecom)
(主→从 :zone transfer 开始)
11)zone transfer 完成,主从服务器关闭 TCP 连接 (zone transfer 完成)
特别注意,以下几种常见无法同步的原因:
a)key 在另一台 server 上不存在
b)同一个名称的 key 在两台 server 上的内容不一样
c)两台 server 的时间不同步,导致 TSIG key 验证通不过。所以最好两台 server 用 ntp 进行同步。这种情况比较隐蔽,需要特别注意。经过试验,两台 server 如果时间相差超过 5min 就会导致失败。