[BETA] DNS master2slave

[SeLLeRoNe]

So the update like new A record you mean?

If yes, check if your server have in /etc/named.conf

this three line filled:

        allow-transfer { IP; };
        notify yes;
        also-notify { IP; };

where IP is the external nameserver IP

If dont have (i suppose he dont have the also-notify and notify, add them and restart named.

Regards

 

[Petertjuh360]

Thanks for your help.
It was allow-transfer on the slave server.

 

[Petertjuh360]

The files aren't updating anymore. New domains aren't added and the last update was on 5-11-2012.

 

[nobaloney]

On most newer server installations I've found that the script needs to run as root. I can offer commercial support to reinstall and debug the issue if you can't get it running.

Jeff

 

[Richard G]

Just a few questions.
If the scripts is to be run as root, that is not a big problem. But will it work on servers with mod_ruid?

Are there security issues nowadays we have to pay attention to? I see this from the readme:

3) Create the namedftp folder under the <webroot>
Note: <webroot> is the directory that is server root for the primary DNS's IP <masterip>.
eg. /var/www/html (DirectAdmin)

Se we create this /var/www/html/namedftp but this is accessible from the internet for anybody.
Is it not better to create a .htaccess in that folder to limit access to the slave server?

Are there other security issues we have to keep in mind?

 

[Richard G]

Problem. Things are not resolving, I get this when doing a dig on an external seperate server somewhere:

dig @ns2.mymaster.nl somedomain.eu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> @ns2.mymaster.nl somedomain.eu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46948
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;somedomain.eu. IN A

;; Query time: 1 msec
;; SERVER: 141.xxx.xxx.xxx#53(141.xxx.xxx.xxx)
;; WHEN: Tue Jan 15 02:08:04 2013
;; MSG SIZE rcvd: 37

On the master in /var/www/html/namedftp there is a file called 46.xxx.xxx.xxx.named.conf with all domains on that master.
On the slave server my /var/named/slaves looks like this:

drwxrw-rw- 3 namedftp named 4.0K Jan 15 01:35 namedftp
-rw-r--r-- 1 named    named  616 Jan 15 01:15 mydomain.eu.db
-rw-r--r-- 1 namedftp named 9.6K Jan 15 01:50 slaves.named.conf

This slaves.named.conf also has all domain zones from the master.

And in the /var/named/slaves/namedftp folder there is a directory:

drwxrw-rw- 2 namedftp named 4.0K Jan 15 01:35 46.xxx.xxx.xxx

So a directory name with my master ip address. This folder is empty.

A last question about the getmaster2slavedns.sh on the slave server. The line:
webinfo='http://';

Must I change this to:
webinfo='http://server55.mymaster.nl/';
(which is the hostname of my master server) or not? Or something else?

And the last question is, in the checkdomains.pl at top it says:
use File::Copy ;
use File::Basename ;

I know at least File::Copy is not installed. Is it necessary to install both of these via cpan? Or don't I need them?

Found a typo.
In getzone.dns.sh this line is still disabled:
#cp -f /home/namedftp/named.master.conf $weboroot/namedftp/$masterip.named.conf
It says "$weboroot' instead of "$webroot".
Does this line needs to be enabled?

P.s. on the master I run the scripts as root, on the slave I run them as the namedftp user. Seems to work at the moment though, although we can't query dns 2.
Should I put the
allow-query { any; };
in named.conf?

 

[Richard G]

Resolving is fixed now by changing the owner of the /var/named/namedftp folder. So I do not need to put the allowquery in the named.conf.

However, the other questions mentioned in both posts remain.
Also sometimes I got some:
zone mkbdomain.in/IN: zone transfer deferred due to quota

I don't know for sure if I will get those again.

 

[nobaloney]

If the scripts is to be run as root, that is not a big problem. But will it work on servers with mod_ruid?

Of course, with proper permissions/ownership. It works on my mod_ruid servers. Note though that my nameservers are pure nameservers, they don't have anything else installed on them, so for integration with anything else you should ask others to reply, or if you have problems installing use our installation service.

Se we create this /var/www/html/namedftp but this is accessible from the internet for anybody.
Is it not better to create a .htaccess in that folder to limit access to the slave server?

You certainly can if you wish, but DNS information by it's very nature, is public anyway. It's easy enough to do, and it's entirely up to you.

Are there other security issues we have to keep in mind?

You may now be running it as root because of heightened security on more recent setups. If you don't want to do that you can do some creating work with adding the namedftp user to certain groups to create more restrictive access, but I don't teach you how to do that.

Problem. Things are not resolving

I believe you wrote that you'd resolved this. If you have additional questions on this please feel free to post them but generally I don't go too much into the details of how to do this because I offer the project at no charge but do make a small charge to install it (I didn't write this project; I paid someone else to write it, so I don't mind making a few dollars off installation from time to time ).

A last question about the getmaster2slavedns.sh on the slave server. The line:
webinfo='http://';

Must I change this to:
webinfo='http://server55.mymaster.nl/';
(which is the hostname of my master server) or not? Or something else?

I just noticed this variable isn't being used. It's there so you can choose whether to use http or https, but you can do that a few lines further down if you wish. If you do use https, then you must have a valid Certificate for the URL.

And the last question is, in the checkdomains.pl at top it says:
use File::Copy ;
use File::Basename ;

I know at least File::Copy is not installed. Is it necessary to install both of these via cpan? Or don't I need them?

I'd expect that you can't run the program unless they're installed. Please let me know if you find the program runs without error if they're not installed.

Found a typo.
In getzone.dns.sh this line is still disabled:
#cp -f /home/namedftp/named.master.conf $weboroot/namedftp/$masterip.named.conf
It says "$weboroot' instead of "$webroot".
Does this line needs to be enabled?

Yes it needs to be enabled and the variable name needs to be fixed. I'm sorry; I should have fixed that a long time ago, but the bug is documented somewhere on the DirectAdmin forums.

P.s. on the master I run the scripts as root, on the slave I run them as the namedftp user. Seems to work at the moment though, although we can't query dns 2.
Should I put the
allow-query { any; };
in named.conf?

That depends on how your master's are set up, but based on your next post it appears you didn't need it.

Resolving is fixed now by changing the owner of the /var/named/namedftp folder. So I do not need to put the allowquery in the named.conf.

As above, that depends on how your masters are configured.

Also sometimes I got some:
zone mkbdomain.in/IN: zone transfer deferred due to quota

I don't know for sure if I will get those again.

I've never seen that and I have no idea what it means. You might want to look here (itags.org) which I just found by searching.

Jeff

 

[SeLLeRoNe]

Richard if you want i did made a fork from original master2slave that use rsync.

Feel free to contact me privately.

Regards

 

[Richard G]

@Jeff: Thank you for taking the time and effort to answer all my questions. As far as I can see and can read from your answers, I've installed everything correctly
Indeed just to be sure, I protected the namedftp webdirectory to only the slaveserver ip.

I'd expect that you can't run the program unless they're installed. Please let me know if you find the program runs without error if they're not installed.

At the moment it runs find without error and in any case at least without File::Copy.
Because when I try to install this via CPAN, then CPAN starts to complaint that it's only present in a newer beta version of perl or something like that and that I have to do a "force install" to get it installed.
Even if I do that a warning is coming about this beta which I have explicitely to answer with yes. Because I wasn't sure if that was a good idea on a live prodution server, I answered no and File::Copy did not get installed.
I did not look or test if File::Basename is installed, I don't know the command for looking if it's installed in CPAN, because I almost never use that.
But as for now I can't see any errors and things look as if they are working fine. Domains om my master server can be looked up by using the slave server.

Should errors appear in /var/log/messages if any?

@Sellerone: Sounds interesting, thank you!

 

[nobaloney]

I'm guessing my programmer (he's disappeared so I can't ask him) didn't use the file after requiring it, but I don't know enough about perl to know if it should give an error when requiring a non-installed module.

Anyone else know?

Jeff

 

[redjersey]

I am trying to install this on my master directadmin by using:

http://www.nobaloney.net/downloads/dns-master2slave/DirectAdmin/beta/

however when I tried out step 6:
6) Test the script.
# su - namedftp -c './getzone.dns.sh'
Check to see if you can find a copy of /etc/named.conf by pointing your browser at:
http://<masterip>/namedftp/<masterip>.named.conf

I've got:
su - namedftp -c './getzone.dns.sh'
Server: my-master-ip
Include: /etc/named.rfc1912.zones
Include: /etc/named.root.key

but when I tried out:
http://<masterip>/namedftp/<masterip>.named.conf

I got the "file not found" error. Also when I go to the folder /var/www/html/namedftp it's empty inside.

please help

 

[Richard G]

@Redjersey:
Did you read this I wrote in post #186:

Found a typo.
In getzone.dns.sh this line is still disabled:
#cp -f /home/namedftp/named.master.conf $weboroot/namedftp/$masterip.named.conf
It says "$weboroot' instead of "$webroot".

So in the getzone.dns.sh you have to fix the typo and remove the # from the line which starts with the "cp" command, otherwise the named.conf will not be copied to the correct location.

 

[redjersey]

@Redjersey:
Did you read this I wrote in post #186:

So in the getzone.dns.sh you have to fix the typo and remove the # from the line which starts with the "cp" command, otherwise the named.conf will not be copied to the correct location.

yes, I have fixed that. so now if I try:
http://<masterip>/namedftp/<masterip>.named.conf

I do see my records.

However now I'm having a problem with setting up the slave server.

I have looked at: /var/named/slaves/slaves.named.conf
in my slave vps, I have these two records:

zone "server.mydomain.com" { type slave; file "/var/named/slaves/namedftp/<master-ip>/server.mydomain.com.db"; masters { <master-ip>; }; };
zone "mydomain.com" { type slave; file "/var/named/slaves/namedftp/<master-ip>/mydomain.com.db"; masters { <master-ip>; }; };

but when I looked at: /var/named/slaves/namedftp/<master-ip>
the directory is empty. I don't have any server.mydomain.com.db nor mydomain.com.db

 

[redjersey]

I have looked at my /var/log/messages in slave and I've got:

Apr 29 05:55:01 ns2 named[3382]: zone server.mydomain.com/IN: Transfer started.
Apr 29 05:55:01 ns2 named[3382]: transfer of 'server.mydomain.com/IN' from <master-ip>#53: connected using <slave-ip>#56031
Apr 29 05:55:01 ns2 named[3382]: dumping master file: /var/named/slaves/namedftp/<master-ip>/tmp-UzsPNPdBBQ: open: permission denied
Apr 29 05:55:01 ns2 named[3382]: transfer of 'server.mydomain.com/IN' from <master-ip>#53: failed while receiving responses: permission denied
Apr 29 05:55:01 ns2 named[3382]: transfer of 'server.mydomain.com/IN' from <master-ip>#53: Transfer completed: 0 messages, 14 records, 0 bytes, 0.046 secs (0 bytes/sec)
Apr 29 05:55:01 ns2 named[3382]: zone mydomain.com/IN: Transfer started.
Apr 29 05:55:01 ns2 named[3382]: transfer of 'mydomain.com/IN' from <master-ip>#53: connected using <slave-ip>#44539
Apr 29 05:55:01 ns2 named[3382]: dumping master file: /var/named/slaves/namedftp/<master-ip>/tmp-motOysC9ZC: open: permission denied
Apr 29 05:55:01 ns2 named[3382]: transfer of 'mydomain.com/IN' from <master-ip>#53: failed while receiving responses: permission denied
Apr 29 05:55:01 ns2 named[3382]: transfer of 'mydomain.com/IN' from <master-ip>#53: Transfer completed: 0 messages, 18 records, 0 bytes, 0.026 secs (0 bytes/sec)

 

[redjersey]

after some changes to the slave, I now have the .db files in my /var/named/slaves/namedftp/<master-ip> (slave)

however, the db files are not updated. Which means, if I login to directadmin -> DNS Administration -> mydomain.com and made some changes to my dns record, the changes won't reflected on the db files in my /var/named/slaves/namedftp/<master-ip> (slave) (I have waited for 30+mins and nothing is changed inside the ip folders.

I wonder which .sh is to copy/move the files to my slave's /var/named/slaves/namedftp/<master-ip>

please help

 

[SeLLeRoNe]

The master/slave sync on dns change (so, not create or remove) have to be done in named.conf setting up the allowed IP where to send every "already present" dns modification.

I dont remember those line right now since im not at home, but im pretty sure has been menthioned in this thread, maybe some pages back.

Regards

 

[redjersey]

SeLLeRoNe, just to be clear, should I use: dns-replicator.tar.gz
or http://www.nobaloney.net/downloads/dns-master2slave/DirectAdmin/beta/

is dns-replicator.tar.gz the same as:
http://www.nobaloney.net/downloads/dns-master2slave/DirectAdmin/beta/

except you are using rsync and ssh keys to communicate between the master and slave?

if so do I have to uninstall OP's script first, in order to install yours?

Also I have checked a few pages back, you suggested to install server (the one without directadmin) first then client. So my master is directadmin and my slave is non-directadmin, so I suppose I should install server on my slave server first right?

just want to be clear, thanks

 

[Richard G]

I wonder which .sh is to copy/move the files to my slave's /var/named/slaves/namedftp/<master-ip>

If I'm not mistaken it's mentioned in the readme file.
You have to setup a cronjob for the .sh to run. It does not automatically update when you update Directadmin, so it can take a few minutes.
If you want something which updates directly when you change something in DNS on DA, you could also have a look at Directslave which is also easy to setup.

I used both Master2slave and Directslave and was very satisfied with both, I just found Directslave a bit safer nowadays and easyer to setup.

Edit: I just checked, it's indeed in the README.txt, you have to setup a cronjob on the master as well as on the slave.
On the master:
# crontab -e -u namedftp (it could be you have to run this cronjob as root user instead of namedftp user on the master server).

0,15,30,45 * * * * /home/namedftp/getzone.dns.sh

And on the slave you need 2 cronjobs:
# crontab -e -u namedftp

5,20,35,50 * * * * /home/namedftp/getmaster2slave.dns.sh

and
# crontab -e -u root

10,25,40,55 * * * * /sbin/service named reload

This means it could take up to 15 minutes after a change util your slave named is updated. Provided all rights and settings are correct. However, you could also adjust the cronjobs to your needs to get it done faster.

 

[redjersey]

I did setup both cronjobs. Turns out it was the owner/permission problem and it prevents the sh scripts from copying the dns files to the ip address folder

I guess I'll either use the directslave or dns-replicator.tar.gz. Thanks for your help