View deployment order and access control lists - BlueCat Integrity

View deployment order and access control lists - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale

English

Product name

BlueCat Integrity

Version

9.3.0

When working with multiple views, the order of the views is very important. You can view the deployment order of views.

Consider an example with two views:

The first view contains data intended for internal clients and is assigned a match clients list of 10.0.0.0/8. Only clients from the 10.0.0.0/8 network receive data from this zone.
The second view is intended for external clients and isn't assigned a match clients list. When deployed to the server, the view is automatically assigned an access control list (ACL) of any, and all clients may receive data from this view.

The order of the views on the DNS server determines which clients match which view. If the view with any is ordered first in the list, all clients match against it, and no clients ever match against the second view.

When you deploy such a configuration from Address Manager, the view assigned an ACL of any is always placed last in the configuration. In this way, all clients attempt to match the restricted view first. Clients with IP addresses in the 10.0.0.0/8 network match against the first view, leaving all other clients to match against the second view.

Address Manager deploys multiple views in reverse alphabetical order. Views are also grouped together based on the Match Clients DNS deployment option:

views with the Match Clients option appear first, arranged in reverse alphabetical order
views without the Match Clients option appear second, arranged in reverse alphabetical order.

Tip:

When sorting in reverse alphabetical order, Address Manager uses Unicode/ASCII values of letters and characters. This means words that begin with upper case letters will appear after words that begin with lower case letters.

For example, an upper case "A" has a Unicode value of 65; a lower case "a" a value of 97, and an upper case "Z" a value of 90. In reverse alphabetical order, "Zack" would come before "Abigail", but after "abigail".

To avoid confusion, we recommend you restrict view names to all lower-case letters.

For example, consider the following views:

accounting
development
external
sales

If none of the views have a Match Clients DNS Deployment Option, the views appear in this order:

view "sales"
{ ... };
view "external"
{ ... };
view "development"
{ ... };
view "accounting"
{ ... };

Note: You wouldn't normally create multiple views without setting a Match Clients option for each view. In this example, all of the views will have an ACL of any and all clients will match against the first view in the list.

Now, consider what happens when you apply a Match Clients option to three of the views:

DNS View	Match Clients DNS Deployment Option
accounting	Match Clients option matches to an IP address range
development	Match Clients option matches to an IP address range
external	No Match Clients option
sales	Match Clients option matches to an IP address range

On deployment, Address Manager groups the views by Match Clients option. Views with Match Clients options appear first, followed by views without Match Clients options. In both groups, the views appear in reverse alphabetical order:

view "sales"
{ ... };
view "development"
{ ... };
view "accounting"
{ ... };
view "external"
{ ... };

For information on how Address Manager deploys classless IPv4 space for reverse zone, refer to How Address Manager deploys classless IPv4 space.