bind 9.11 - Need assistance with configuration
I'm replacing a RHEL6 server that runs, among other things, bind/named, with a RHEL8 server. As part of this, the bind version updated from 9.8 to 9.11. I'm not a bind wiz in any way, but I foolishly thought this should be a simple update. Unfortunately I ran into a problem I barely even understand, being only slightly familiar w/ bind. Apparently you can no longer have multiple views pointing to the same writable file? It's preventing named from starting.
I did some Googling, and found out that this is indeed the "proper" reaction ever since bind 9.10, and that I am supposed to incorporate in-view rewferences to get around this.
Here's a snip of the errors I get...
Dec 03 16:45:51 server-1a bash[97204]: /etc/named/slave.zones:4: writeable file 'data/test.exampledomain.com.zone': already in use: /etc/named/slave.zones:4
Dec 03 16:45:51 server-1a bash[97204]: /etc/named/slave.zones:10: writeable file 'data/test2.exampledomain.com.zone': already in use: /etc/named/slave.zones:10
Dec 03 16:45:51 server-1a bash[97204]: /etc/named/slave.zones:16: writeable file 'data/test3.exampledomain.com.zone': already in use: /etc/named/slave.zones:16
I'm hoping that someone has the talent and willingness to help me update my config appropriately, since I'm lost.
Here's the (anonymised) portion of my named.conf file that needs to be updated I believe. Thoughts?
view "localhost_resolver" {
match-clients { localhost; };
allow-query { localhost; };
allow-recursion { localhost; };
recursion yes;
include "/etc/named/root.hints";
include "/etc/named.rfc1912.zones";
include "/etc/named/slave.zones";
include "/etc/named/forwarder.zones";
};
view "abc_clients" {
response-policy { zone "abc"; };
match-clients { 1.2.3.4/24; };
allow-query { 1.2.3.4/24; };
allow-recursion { 1.2.3.4/24; };
recursion yes;
include "/etc/named/abc.conf.local";
include "/etc/named/root.hints";
include "/etc/named/slave.zones";
};
view "trusted_resolver" {
match-clients { 1.9.0.0/21;1.8.0.0/21;1.7.0.0/24;1.6.0.0/21; };
allow-query { trusted; };
allow-transfer { "none"; };
allow-recursion { trusted; };
recursion yes;
include "/etc/named/root.hints";
include "/etc/named/slave.zones";
include "/etc/named/forwarder.zones";
};
view "default" {
match-clients { any; };
allow-transfer { "none"; };
recursion no;
};
Solution 1:
You have slave zones using the same backing zone files in multiple views, this is not allowed as the matching slave zone definitions would separately transfer the zone and write the contents to that same file (which would not be safe).
What you could do instead is to use the in-view
zone option to expose an existing zone from one view in another view.
It can look something like this (example taken from the documentation):
view internal {
match-clients { 10/8; };
zone example.com {
type master;
file "example-external.db";
};
};
view external {
match-clients { any; };
zone example.com {
in-view internal;
};
};