Secondary BIND server.

Kevin Darcy kcd at daimlerchrysler.com
Wed Aug 2 22:37:52 UTC 2000


I'm not aware of any publically-available software to do this.

What I do for our internal-root namespace is run a script on all of the slaves
which walks through the namespace and determines what it should be slaving and
what it should stop slaving, and updates the named.conf accordingly.
Obviously, this is not feasible for external nameservers where you are adding
new domains under Internet TLD's (I don't think you want to walk through the
whole "com" zone, for instance).

Some folks set up some form of system trust between the master and its slaves,
e.g. ssh, and then use this to "push" a named.conf change from the master to
the slaves whenever a domain is created. If the slaves are essentially
*mirror*copies* of the master, even simpler is to just synchronize the slaves'
named.conf with the master's whenever it changes, along with the zone files
themselves, i.e. don't use the normal zone-transfer mechanism. This means, of
course, that the slaves will consider themselves masters, but this is benign
unless you're trying to do Dynamic Update. Dan Bernstein has in the past
recommended using rsync over ssh in this way. Unfortunately, when the masters
and slaves belong to different organizations, there may be logistical and/or
political hurdles to setting up this level of trust between the systems. Also,
nameservers often run on firewalls, where there is often a security policy --
as in our case -- against establishing *any* system trust above what is
strictly necessary for firewall operation.

As an alternative approach, I've often thought that it would be nifty to have
a script which looks for NOTIFY events in a slave's log and then updates
named.conf after verifying that a) the NOTIFY came from a real nameserver for
the domain, and b) the NOTIFY'ed domains are in fact delegated to the local
server (if you don't check these, you're opening yourself up to possible
name-spoofing and/or denial-of-service attacks). But I haven't attempted to
write such a thing. We don't add more than a handful of external domains per
month, on average, so it's hardly been worth it...


- Kevin

Erin - Lists wrote:

> Does anyone have some sugestions on how I would go about getting my
> secondary DNS server to automatically setup the secondary domain when I put
> it in the primary DNS server.
>
> Is there any software that already does this?
>
> I am currently using FreeBSD 3.3 and 4.0 for the OS and BIND 8.2.2pl5 for
> the DNS.
>
> Thanks,
>
> Erin
>
> mailto:kahn at deadbbs.com
> http://www.deadbbs.com
> http://www.fortenberry.net
>
> Failure is not an option. It comes bundled with your Microsoft product.






More information about the bind-users mailing list