DirectSlave/GO 3 - public beta

[Arieh]

Unfortunately no, I still have mine running but haven't done anything with it for years. I'm also not using DNSSEC on it.

 

[Richard G]

I'm also not using DNSSEC on it.

You don't? Oh because I've seen an old post from you on WHT where you said it worked with DS without issues. Hence my question.

 

[Arieh]

You don't? Oh because I've seen an old post from you on WHT where you said it worked with DS without issues. Hence my question.

Yes I have worked with it in the past, but I dropped it shortly after, I think at that time it was a lot of manual work per domain, when I switched domain registrars I probably removed the ones I had it enabled on. I did a quick look and there was 1 domain still in my /var/named that had a .key file. A domain that no longer is registered. Using dig +dnssec on both the DA server and the DirectSlave server, gives back the RRSIG. So it was succesful at somepoint in transfering that at least. Also I did notice that in my DirectSlave server, in the named_workdir (in etc/directslave.conf), it has all the .db files, but there is no .key file there. Not sure if it actually needs those files on the slave?

 

[Richard G]

Not sure if it actually needs those files on the slave?

Oh LoL yes good question. I know in the DA Multiserver Setup those files are on both servers.
Now you say this I wanted to test but I just moved from nameserver so they are not on the DS server anymore. The domains present there do not have DNSSEC, so I can't test anymore.

If I read correctly only the db.signed files should be present. But I know for a fact they were not.
Maybe @roman_m can enlighten us on this, or fix this when he will be available again.

 

[Richard G]

Some people asked me if I had kind of a manual for it. So @Active8 and @ericosman and whoever is interested, this is how I have it running at the moment.
=======================

You need this anyway:
yum install perl-Sys-Syslog
maybe more.

The readme has some errors in it. At least regarding a filename.

named_conf /etc/namedb/secondary/named.conf

While in fact, in the directslave.conf it says:

named_conf /etc/named/directslave.inc

so other name and 1 directory earlier. This last one is the correct location. So I use this location and this filename. Filename will be created automatically, if not, "touch" it and chown to named.

In the /etc/named directory, create a directory called /secondary/ and chown it to named.

When ready, it can be used like this, the directslave.conf (adjust to your needs):

background      1

host            *

port            2222
sslport         2224

ssl             off
ssl_cert        /usr/local/directslave/ssl/fullchain.pem
ssl_key         /usr/local/directslave/ssl/privkey.pem

cookie_sess_id  DS_SESSID
cookie_auth_key 0El2dbMZlwxxxxxxx@)xxxxxxxxxx-THISMUSTBELONGENOUGH!!--xxxxxxx

debug           0
uid             0
gid             0

pid             /usr/local/directslave/run/directslave.pid
access_log      /usr/local/directslave/log/access.log
error_log       /usr/local/directslave/log/error.log
action_log      /usr/local/directslave/log/action.log

named_workdir   /etc/named/secondary
named_conf      /etc/named/directslave.inc
retry_time      300
rndc_path       /usr/sbin/rndc
named_format    text

authfile        /usr/local/directslave/etc/passwd

Also use things from the readme like this command:
/usr/local/directslave/bin/directslave --check

Be aware that rndc is working.

As for the cookie_auth_key, this must be long enough. I've got 65 random characters, but maybe I did wrong but should be 64 anyway if I understood it correctly.
You can see that I use uid and gid 0 here, but it doesn't matter as this is decided by the system start file anyway.

To do that, use this:
/usr/local/directslave/etc/systemd/directslave.service

I presume you know how to make that a starting system file. Copy it over and enable the service.

Now in Directslave vps /etc/named.conf you need this:

        allow-notify { master.server.ip; };

On the master server you need this in the named.conf file:

        allow-transfer { direct.slave.vps.ip; };

Don't forget to restart your named service on master and slave after making changes to the named.conf file.

Now all you need is the connection to Directslave from your DA server.
So use the Directslave binary in the /usr/local/directslave/bin directory to do this.

Use "directslave --password" and "--delete" flags to add, delete and modify users

You should have a passwd file in the /usr/local/directslave/etc directory with a username and password.

Now go into your DA server, use the multi-server setup on port 2222 and enter the username and password you created and check connection. Things should be good now.
I didn't manage to create SSL on the Directslave server, so in my case it's working via 2222.
I use a firewall on my VPS so the webpage of Directslave is only visible to me.

Ofcourse... it's multi server setup and DS needs to know your stuff, so you should paste your DNS files:
echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue

Could take a minute or two. Check your DS logfiles for issues or errors.

Hope it will all work for you. It could be some extra packages in there.
I had issues with Directslave getting it to work with Debian/Ubuntu. Don't know sure in Alma 9. I used Almalinux 8 and in there it works flawlessly.

Let me know if you find issues you can't solve.

 

[ericosman]

Found even a more easy way @Richard G haha
There was a Github (not maintained anymore) and i tested it, made some small changes (have to test)
And see here : https://github.com/osmanboy/directslave-install

*Note it's idiot proof... because i could use it

 

[Richard G]

There was a Github (not maintained anymore)

Yes I've found that one too last year and seen some old stuff and if I'm correct this was for Debian, right? So I decided that manually was the way to go.

But there is room for improvement I see.. because now you have on both DS and the master server the allow-notify and allow-transfer, which isn't needed on both.

Also the script might be foolproof, the readme is not.

allow-notify { DirectSlave_IP_server_1, DirectSlave_IP_server_2; };
allow-transfer { DirectSlave_IP_server_1, DirectSlave_IP_server_2; };

If you give examples this way, they should at least be either fully correct, or totally incorrect. These are half correct.
After the DirectSlave_ip_server1 there is a comma in both cases, which should be a dotcomma, so the ; character.

Also in both cases is stated:

listen-on-v6 port 53 { none; };

on both the DS and the slave server. However, why should you limit DNS queries to ipv4 if you're using ipv6 too?

I didn't look at all the script, but personally I don't like things like this:

echo "creating user "$1" and adding to wheel"
useradd -G wheel $1 > /root/install.log
echo $2 |passwd $1 --stdin  >> /root/install.log
echo "Disabling root access to ssh use "$1"."

so I don't like that somebody is added to any wheel group without my knowledge and I don't like that root login to SSH is disabled by this script too. Because if you make some mistake, you're out of your server. That makes it non-foolproof.
This should at least be mentioned in the readme!!

Also it makes use of firewalld. So nice for noobs.
Others might prefer CSF/LFD on this server too, but that is a choice.

Questions:
1.) wget -q https://directslave.com/download/directslave-3.2-login-XSS-HOTFIX.tar.gz
Is this still required? Isn't that template also fixed already in the directslave 3.4.3 release?

2.) Why both allow-notify and allow-transfer lines on both servers while only 1 line is required?

3.) cookie_auth_key Change_this_line_to_something_long_&_secure
I don't see this being created in the script, but I also don't see any information on this in the readme, so for sure this will generate errors.
And this one is very very important!

4.) touch /etc/namedb/named.conf
Why? This is a non-existing file and will never exist either.

5.) Is everything working in your case? Because I'm missing this one in the script.
yum install perl-Sys-Syslog

 

[ericosman]

@Richard G feel free to help the project on Github i only forked it and made some small changes (to make it functional), this big stuff you mention i have to read into.

 

[Richard G]

this big stuff you mention i have to read into.

I don't think I've got a personal github account, only alias which I don't want to use. I know you forked it and made small changes, just wanted to help improve.
But you can use my tips here also and just as per pm if something is unclear too, then we can speak in Dutch, easier too.

 

[JesperV]

Hi,

I've done an installation of Directslave but when trying the connection on the multisite page it gives me this error:

Screenshot

Captured with Lightshot

prnt.sc

I do have a firewall in front of both servers, but even when allowing everything it doesn't work.

How can I debug this?

 

[Richard G]

Check your Directslave logs, and directadmin logs.
But I think the Directslave logs will give you the best insight.

 

[JesperV]

Check your Directslave logs, and directadmin logs.
But I think the Directslave logs will give you the best insight.

The directslave logs were empty,

I am able to connect via internal ip address. Which is strange because I opened all the ports.

 

[Richard G]

The directslave logs were empty,

In that case no connection is made.
Via internal ip? Hmmz.. are you also using both internal and external ip's on server and/or VPS, with Transip or something?

Normally not all ports need to be opened, but on both the ports for DNS traffic (udp/tcp 53 and 953 and port 2222 tcp for the DA info).

So if you try via external ip is there anything to see in any of the directadmin logs?
If you indeed use Transip, try disabling the complete Transip firewall and see what happens.