How can I do a zone transfer with dig when using bind views

Question

I have a bind cluster with private/public records stored in (2) views and configured with TSIG. Standard slave operation works but I'd like to use dig to transfer the zones for troubleshooting/testing.

Typically I'd use dig example.com @ns1.example.com -y tsig-key:SECRETCODE however this is denied as the key is only assigned to the view public.

Reproduce: Attempt a dig axfr from a client in the internal view.

Transfer Fails:

dig AXFR example.com -y external:xxxxxxxx

Transfer Succeeds

dig AXFR example.com -y internal:xxxxxxxx

score 2 · Answer 1 · answered Aug 01 '17 at 14:38

Simply set up an additional key for the internal view and configure bind to allow the key to act as a selector for a specific view:

key "external" {
  algorithm hmac-md5;
  secret "xxxxxxxx";
};
key "internal" {
  algorithm hmac-md5;
  secret "yyyyyyyy";
};
view "internal" {
  match-clients { key internal; 10.0.1/24; };
  server 10.0.1.1 {
    /* Deliver notify messages to external view. */
    keys { external; };
  };
  zone "example.com" {
    type master;
    file "internal/example.db";
    ...
  };
};
view "external" {
  match-clients { key external; any; };
  zone "example.com" {
    type master;
    file "external/example.db";
    ...
  };
};

works for bind, not for dig. – Jacob Evans Aug 01 '17 at 14:56 — Jacob Evans, Aug 01 '17 at 14:56

How can I do a zone transfer with dig when using bind views

1 Answers1