BIND TSIG VIEW

采用BIND提供的TSIG Zone transfer功能，可以通过TSIG KEY来区分不同的VIEW。设置要点如下：

①用dnssec-keygen生成TSIG KEY文件：

$ cat /var/named/chroot/etc/tsig.key
key "default" {
        algorithm hmac-md5;
        secret "UkkkkkkkkkkkkkkkCouhDSh4ZKwxs=";
};
key "cnc" {
        algorithm hmac-md5;
        secret "akkkkkyehNlDS2Z+voRpFx3D3h6FTs=";
};
并且在主从域名服务器的named.conf中包含此文件.

 

②在主域名服务器的named.conf放入：

include "/etc/rndc.key";

include "/etc/tsig.key";

include "/etc/cnc.view";

view    "default"
{

        match-clients { key default; ! CNCGROUP; any;};
        allow-transfer { key default; };
        notify explicit;
        also-notify   { your_slave_ip; };
        server your_slave_ip { keys default; };

        recursion no;
        zone "abc.com" IN {
            type master;
            file "abc.com";
        };
};

view "cnc" {
        match-clients { key cnc; CNCGROUP;};
        allow-transfer { key cnc; };
        notify explicit;
        also-notify { your_slave_ip ; };
        server your_slave_ip { keys cnc; };

        recursion no;
        zone "abc.com" IN {
            type master;
            file "abc.com.cnc";
        };
};

③在从域名服务器的named.conf放入：

include "/etc/rndc.key";
include "/etc/tsig.key";
include "/etc/cnc.view";
view    "default"
{
        match-clients { key default; ! CNCGROUP; any;};
        allow-transfer {none; };
        server your_master_ip { keys default; };

        recursion no;
        zone "abc.com" IN {
            type slave;
            masters {your_master_ip;};
            file "slaves/abc.com";
        };
};

view    "cnc"
{
        match-clients { key cnc; CNCGROUP;};
        allow-transfer {none; };
        server your_master_ip { keys cnc; };

        recursion no;
        zone "abc.com" IN {
            type slave;
            masters {your_master_ip;};
            file "slaves/abc.com.cnc";
        };
};

 

这样就可以通过不同的TSIG KEY来区分view了。采用这种方法可以在主从域名服务器只有一个IP的时候建立多个VIEW。在中国就是电信、网通、移动、联通、教育网等等。