By Samat Jain
May 25, 2005 - 10:14am
One feature of BIND (and most DNS servers on the Internet) is the concept of “zone transfers.” Records are only updated on the primary server, and they propogate down the slaves.
I’m not going to go into the details but the way zone transfers works isn’t very good.
The DNS software suite I use on my servers, djbdns, does not support sending zones tranfers (at least not without installing another piece of djb software which I’d like to avoid).
So, how do I update my slave nameservers? djb recommends using something like SSH or rsync–but these tend to be cumbersome to use. I thought up a fairly easy (and secure) to perform the same function as zone transfers.
My primary nameserver is also a web server. Simply, publish the djbdns tinydns data file to a password-protected directory (I have mine on an SSL site) whenever records are updated. For example, in tinydns’s Makefile in it’s root directory:
data.cdb: data
cp data /some/directory/that/is/web/accessible/and/protected/data
/usr/local/bin/tinydns-data
Then, on each slave nameserver, edit their make files to download this file, something like so:
master-zones:
wget --http-user=someuser --http-passwd=somepasswd https://example.com/somewhere/data -O master-zones
data.cdb: master-zones cat local-dns-data master-zones > data /usr/local/bin/tinydns-data
It’s easy. And it works. It’s trivial to make up a cron job on the slave servers to run the make file and re-download zones nightly.
Like this article? Please support my writing! Flattr my blog (see my thoughts on Flattr), tip me via PayPal, or send me an item from my Amazon wish list.
To stay on top of future posts, subscribe to 
Samat Says' RSS feed
Comments
Permalink Jon Beckham on October 5, 2005 - 11:16pm wrote…
You are pretty high in google’s rankings for “tinydns uml rootfs”, which is how I found this post…
If you’re running ssh on the master (which I assume you are, if it’s a publicly accessible machine of some sort), then using ssh-keys and scp is a snap, and far less cumbersome (I guess IMO, but it’s definitely less to depend on than an https server w/ http auth on top). Wow, awful sentence, sorry I’m tired. :)
Generate a dedicated sshkey (passwordless) on the slave, put the public key on the master, and you could even go so far as to prepend the key on the master with the command you want run…
command=’cat /etc/tinydns/root/data’ ssh-rsa PUBKEYGIBBERISH…
Then, on the slave,
ssh master > masterzoneswill get all the updates you want.You’re no longer tied to running a webserver on your dns machine, and you have the same security benefits of a readonly interface.
Permalink Samat Jain on October 6, 2005 - 10:54am wrote…
I particularly wanted to avoid having to create system accounts for this kind of thing–just my personal preference.