Update regarding DNS and Views mystery - solved

So a while a go I had a DNS issue that stumped me. A master nameserver transferring an updated zone to a slave successfully, but queries to the slave server not reflecting the change!

Finally I worked it out. We were implementing views, and we didn't need to be, as our use case was not a case of using different zone files for the same zone and responding accordingly with differing results depending on the requestor client and which acl it matched.

We were using the one zone file, included in both views, but one view also included extra zone statements that were private and only meant to be allowed to be queried by local networks.

Now: a 'nameservers' view existed, and the master and slave were members of the matching nameservers acl. The nameservers view was declared prior to the other views (such as the private view, and ultimately an external view as I migrated our public nameservers to these machines from elsewhere yesterday).

Now, this is the interesting part, and why it became obvious that views was the wrong tool for the job in this case: when the transfer of the updated private zone was initiated by the master, the zone transfer occured 'in' the 'nameservers' view. Because both views read the same zone file, I missed the problem here. The actual zone file itself is definitely updated on the slave, so what would be the problem with another view reading it?

It turns out that while because zone transfer occurs in the 'nameservers' view, bind only knows about the update 'inside' that view, meaning only machines matching the nameservers acl that query the slave, will match that view and get the right result.

The fact that other local machines on the network were not seeing the updates when querying that slave, was because they didn't match the nameservers view (not matching the nameservers acl), and were falling inside the 'private' view, which though it uses the same zone file, did not know about the recent transfer because this all occurs in RAM (I'm guessing).

Got rid of views, and set those few specific private zone statements to allow-query only from machines matching the private acl. No allow-query for the public facing zones because the absence of 'allow-query' parameters implies 'anyone can query' at a global level. Now it all works perfect: the lack of views means transfers of updated zones are recognised immediately by all those who have the right to query the zone in the first place.

Phew! At least I learnt something about bind and views that I didn't know before :)

Tags: