replication between primary & secondary bind servers in linux?
Ladislav Bukvicka
Ladislav.Bukvicka at eunet.cz
Wed Feb 7 11:13:58 UTC 2001
at first your question about allowing recursions:
you can use directive allow-recursion in your config file ...
for example:
// part of config
acl private { 192.168.0.0/255.255.0.0; 10.0.0.0/255.0.0.0; }
allow-transfer { any; };
allow-query { any; };
allow-recursion { private; };
// eof
so your nameserver now acts to world as non-recursible nameserver and is answering
only questions for zones which he serves.
and he does caching and recursive queries for machines in your private
subnets 192.168.0.0/255.255.0.0 and 10.0.0.0/255.0.0.0 ...
and at second your question to transfering config via dns protocol:
ok, I can write you one simple example how this mechanism could work ...
section from named.conf:
acl secondary { <secondary_ip_address>; };
zone "config.ARPA" {
type master;
allow-transfer { secondary; };
allow-query { secondary; };
file "zone/config.ARPA";
};
cat zone/config.ARPA:
$TTL 18000
@ IN SOA nsp.example.com. hostmaster.example.com. (
1 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS nsp.example.com.
IN NS nss.example.com.
// you need only one nameserver, but to avoid named warning messages you
// can run secondary too
example2.com IN TXT nsp.example.com nss.example.com
example3.com IN TXT ns.somewhere.com nss.example.com
example4.com IN TXT ns.somewhere2.com nss.example.com
example4.com IN TXT nsp.example.com nss.example.com
// eof
now you have zone (not encrypted, but in this case never mind) and you can do
AXFR from secondary ....
and a part of nss.exmaple.com's config:
// for config
zone "config.ARPA" {
type slave;
masters { nsp.example.com; };
allow-transfer { none; };
allow-query { none; };
file "zone/config.ARPA";
};
// secondaries config
include "secondaries";
// eof
and for example simple perl script running on secondary & generating "secondaries" file.:
#!/usr/bin/perl --
open(OUT,"> /path/to/your/named/etc/secondaries");
open(IN,"/usr/bin/host -l -t txt config.ARPA. nsp.example.com |");
while (<IN>) {
(@d)=/^(\S+)\s+descriptive text\s+(\S+)\s+(.*)$/;
$d[2]=~s/\"//g;
if ($d[2] eq "nss.example.com") {
$d[0]=~s/.config.ARPA//g;
$d[1]=~s/\"//g;
print OUT <<EOM
zone "$d[0]" {
type slave;
file "zone/$d[0]";
masters { $d[1]; };
};
EOM
}
}
close(IN);
close(OUT);
# eof
and you can run script from cron like user who has permissions for writing to "secondaries" file ...
and than do "ndc reconfig" like root ...
or you can run this command with root permissions from cron:
su -m named_user -c '/path/to/example/script' && /usr/sbin/ndc reconfig
I wrote this in a short time, so hope there is not a big mistake ...
pukvis
PS: note this is _only example_ so you have to write your own system with all controls and
checksums, possible encryption ... etc ...
because if you have no syntax control, security control and others you can easy get into troubles ...
Q wrote:
> This seems like it could really work for me. The only thing is that I don't
> exactly know how to set this up. How can I allow transver and query only
> from the secondary server? Can you point me in the direction of some samples
> or more info? On a side note is there a way to set it up to be a caching
> server for a certain range of IPs and only resolve the domains it has for
> everyone else? I would like to be able to limit who can use the DNS servers
> for caching so that other people can't use it for that but I didn't think
> that was possible. Thanks!
>
>
--
- - = = = = K P N Q w e s t C z e c h i a s. r. o. = = = - -
====== ____ = Ladislav Bukvicka ======
===== / / / ___ ___ _/_ == Gen. Janouska 902 =====
==== /---- / / / / /___/ / === Prague 9,Czech Rep. ====
=== /____ /___/ / / /___ / ==== fax:+420(2) 81081082 ===
== ===== tel.:+420(2) 81081081 ==
= Connecting Europe since 1982 ====== e-mail:pukvis at eunet.cz =
More information about the bind-users
mailing list