Re: Auto-secondarying DNS daemon
On Tue, Oct 03, 2006 at 11:21:44PM +1000, Paul TBBle Hampson wrote:
> Is there such a piece of software around as an auto-secondarying DNS
> daemon?
the only one that i know of is powerdns (packaged as pdns in debian). i
experimented with it a few years ago but ended up going back to bind -
i found it unreliable and buggy (although that may have changed in the
intervening years) and it didn't actually solve the main problem i had
with bind (in particular massive memory usage with huge zone files - a
few RBLs i was secondarying at the time...in fact, it used MORE memory
than bind, even with the zone data in a SQL database backend)
i also found the sql db backend to be mismatched with DNS data -
sure, it can store *most* of the record types, all the common ones
anyway....but it was nowhere near as flexible as the plain text files of
bind.
> Basically, I envisage something that I can give a list of trusted
> IP addresses to, that'll receive NOTIFY messages from servers in
> that list, and AXFR and start serving the NOTIFYd zone, after that
> operating on a SOA serial number basis as per RFC 1996.
as someone else has mentioned, this isn't that hard to automate with
scripts anyway.
my solution to this problem was tied into my system for auto-generating
zone files. because most zone files at an ISP are pretty much identical
except for the actual domain name (most have just entries for www, mx
server, NS secondaries and little else), i created a text file which
listed just the domain name, and a script which generated the zone file
from a template. change the script and/or the domains list file and ALL
the zone files would be regenerated if appropriate (in practice this
meant checking an md5sum file to determine whether the generated zone
file had been hand-edited since it was generated....if so, then don't
regenerate it. this allows auto-generation and update without throwing
away custom changes).
ok, that's how the primary part of the system worked. for secondaries,
there were two methods, depending on whether i had root on the secondary
or not.
for those secondaries where i had root, i used scp, rsync, and ssh
to maintain the secondaries configuration....i.e. generate the bind
secondary config with a script.
for those where i didn't have root, i used a password-protected CGI
script to maintain the list of secondary domains, and sudo or a root
cron job (installed by the admin of that server) to update the bind
config. the CGI script was deliberately simple so that it could be
scripted easily with LWP (libwww-perl)....it didn't have to be pretty,
it was more important that a script could interact easily with it.
this latter part also allowed authorised colleagues from other ISPs to
maintain their list of secondary domains on my servers - it was and
probably is common practice for medium sized ISPs to have such a swap
deal for DNS secondaries.
(so, in reality, there was more than one file containing the list of
secondary domains - one for each secondary arrangement i had, and the
scripts were configured to know which secondary server IP addresses to
use for each secondary list. bind config's "include" keyword was very
useful here).
in short, it's not a terribly difficult thing to do. maybe half a day or
so of sh and perl scripting.
a slightly better match for your requirement ("a list of trusted IP
addresses to, that'll receive NOTIFY messages") is to write a script
that monitors your /var/log/daemon.log file (perl's File::Tail module
is perfect for this) for NOTIFY messages, taking appropriate action
by updating the bind config when it sees NOTIFY messages about new
zones from authorised IP addresses. this will work for adding new zones
automatically, but wont be able to handle removal of zones....that will
have to be done manually.
craig
--
craig sanders <cas@taz.net.au> (part time cyborg)
Reply to: