Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / DNS / Split Horizon and TSIGs

Personal tools

DNS

Domain Name Service trickery

Split Horizon and TSIGs

Split Horizon domains on single interface machines

The Problem

There is a corner case when using split horizon domains on machines with a single interface. When the master issues a notify for a zone update then the slave servers ask to do a zone transfer but the interface they use to do the zone transfer determines which view they will get (probably the internal view). Oh dear. What's worse is that this failure to update can only be seen by anyone accessing the zone via the other view. Oh dear oh dear.

The Solution

TSIGs (of course!).

You will need to create a TSIG key pair per view -- and if you want to be even more precise, a key pair per slave server per view. This latter case comes into play where you might have regional slaves and each region should get a different view.

Then simply limit the access to the views by TSIG. Some careful naming might help here.

master

options {
 allow-transfer { none; };
};

key master-update-X { ... };

key slaveN-axfr-X { ... };

view X {
 also-notify { slaveN-IP key master-update-X; };
 allow-transfer { { slaveN-IP; }; key slaveN-axfr-X; };
};

slave

options {
 allow-transfer { none; };
};

key master-update-X { ... };

key slaveN-axfr-X { ... };

view X {
 allow-notify { key master-update-X; };
 server master-IP {
  keys { slaveN-axfr-X; };
 };

};

Document Actions