djbdns and updating slave name servers

One feature of BIND (and most DNS servers on the Internet) is the concept of “zone transfers.” Records are only updated on the primary server, and they propogate down the slaves.

I’m not going to go into the details but the way zone transfers works isn’t very good.

The DNS software suite I use on my servers, djbdns, does not support sending zones tranfers (at least not without installing another piece of djb software which I’d like to avoid).

So, how do I update my slave nameservers? djb recommends using something like SSH or rsync–but these tend to be cumbersome to use. I thought up a fairly easy (and secure) to perform the same function as zone transfers.

My primary nameserver is also a web server. Simply, publish the djbdns tinydns data file to a password-protected directory (I have mine on an SSL site) whenever records are updated. For example, in tinydns’s Makefile in it’s root directory:

data.cdb: data cp data /some/directory/that/is/web/accessible/and/protected/data /usr/local/bin/tinydns-data

Then, on each slave nameserver, edit their make files to download this file, something like so:

master-zones: wget --http-user=someuser --http-passwd=somepasswd https://example.com/somewhere/data -O master-zones

data.cdb: master-zones cat local-dns-data master-zones > data /usr/local/bin/tinydns-data

It’s easy. And it works. It’s trivial to make up a cron job on the slave servers to run the make file and re-download zones nightly.

Topic: 

Like this article? Please support my writing! Flattr my blog (see my thoughts on Flattr), tip me via PayPal, or send me an item from my Amazon wish list.

Comments

Jon Beckham's picture

You are pretty high in google’s rankings for “tinydns uml rootfs”, which is how I found this post…

If you’re running ssh on the master (which I assume you are, if it’s a publicly accessible machine of some sort), then using ssh-keys and scp is a snap, and far less cumbersome (I guess IMO, but it’s definitely less to depend on than an https server w/ http auth on top). Wow, awful sentence, sorry I’m tired. :)

Generate a dedicated sshkey (passwordless) on the slave, put the public key on the master, and you could even go so far as to prepend the key on the master with the command you want run…

command=’cat /etc/tinydns/root/data’ ssh-rsa PUBKEYGIBBERISH

Then, on the slave, ssh master > masterzones will get all the updates you want.

You’re no longer tied to running a webserver on your dns machine, and you have the same security benefits of a readonly interface.

Samat's picture

I particularly wanted to avoid having to create system accounts for this kind of thing–just my personal preference.