DirectSlave - solution to add and remove zones on slave without DirectAdmin

Thanks, Andrea. I'm sorry it took so long for me to reply; I've been very busy lately. I'm trying to fit in building a new slave DNS server this week. Thursday is a holiday in U.S. and I'll be away all day but Friday should be a slow business day for me and I've got a server ready to test it on, so we'll see :).

Jeff
 
I have directslave perfectly working acting as two slave servers.

I only got a problem with DNSSEC. It does not get updated. I need to be updated every month with new signed zone but they don't transfer. Only if i create or delete a A record the zone gets updated.

Is this a problem with DA or with DS?
 
I have directslave working well as a secondary ns, it would be great if it was able to be used as a master as well and support multiple servers.
 
What do you mena by master? and What abou multiple servers?

I do use DS as master servers and with more than 1 server is synced with them.

Regards
 
What do you mena by master? and What abou multiple servers?

I do use DS as master servers and with more than 1 server is synced with them.
Andrea, when I first saw in my email that the question had been posted I immediately thought that you'd have an answer for it. I'm glad to see I was right.

What I'm looking for is the ability to set up DirectSlave so it'll only accept masters in a list. I don't know yet if there's a way to block acess, so for example, if I have three machines using it, and one of themachines I don't want to use it anymore. I don't want toneed to change passwords; only remove the IP# of the machine I don't want using it from a control list.

I had expected to have time to look into this today but I haven't yet. Maybe tonight; it's 16:20 here now :).

Jeff
 
it would be great if it was able to be used as a master as well
To BIND, master and slave simply designate where the nameserver gets it's data. Working as a master server, that means the zone files must either be created on the local server or have been moved there by some other method than that included in BIND. when working as a slave, BIND will query the master with an axfr command, and get the entire zone from the server named as the master.

The same server itself acts as both a master and a slave, depending on the configured zone lines in the named.conf file.

Andrea and I (and lots of other folk as well) use our DirectAdmin servers as hidden masters; that means we don't advertise DNS pointing to them at all, but only to our slave servers, which is all we advertise. So from that point of view, what you might call our slave servers serve the same function as a master in responding to any wuery.

In fact, ISC, the developers of BIND, request that we don't even use the terms master nameserver and slave nameserver, but rather master records and slave records in our nameservers, since they can have both.

Jeff
 
Jeff,

for reply your quesiton about allow just some host and easly remove them i does suggest you to do that at firewall level, so, whitelist the DA server's IP (or allow them to incoming connection on port 2222 or what DS port you use).

In this way, you can create a single user/pass combination at DS level and set all DA servers with those data, and allow incoming connection from firewall.

Also, there is a line in direcslave conf file which is:

allow 0.0.0.0/0

I dont know if it allowed to use multiple "allow" lines to specify allowed server each on different line, this just roman may reply with the explanation, but the firewall way should be more than enough (i do use to block the DS port and just whitelist "know and allowed" servers).

Regards
 
Just an update, the allow command work this way (source README file):

allow 0.0.0.0/0 - list of allowed hosts in cidr format, must be
specified as ip/mask. 0.0.0.0/0 - allow all, or
list of values (212.109.44.44/32, 217.20.163.14/32)


Regards
 
Thanks for your reply, and your followup, Andrea. It clarifies that I can do it with the built-in function.

I've been very busy so far this weekend and will be busy a bit longer (the winter holiday season has started here with Thursday's Thanksgiving holiday).

There may still be a problem, though I won't know until I've had time to test and look at the code and read me:

When we remove an IP from the Allow list, won't BIND still be authoritative for the domains already configured? I'm betting it will. And if I don't want this, will I be able to identify which domains originally came from which IP#, so I can delete them?

I had that functionality built into Master2Slave DNS Replicator because I originally had it written to work in a commercial environment, offering paid slave services. I'll need the same functionality in DirectSlave.

No need to check if you don't know, but if you do, then please feel free to reply. Otherwise I'll figure it out soon enough though I won't have time to study this until some time next week.

Jeff
 
Well,

for sure it will not remove the already present DNS, and yes, the DNS will still reply for present DNS.

You may identify them by the slaves.conf file checking for the "master" relative to the domain

ex: zone "crazynetwork.it" { type slave; file "/var/named/slaves/crazynetwork.it.db"; masters { 93.63.162.60; }; max-retry-time 1200; min-retry-time 1200; };

for domain crazynetwork.it the master server (who sent this domain info), is 93.63.162.60, so, if you know you wanna remove a server you may use something like

grep "IP" /var/named/slaves.com

to identify present DNS and

sed -i '/IP/d' /var/named/slaves.conf

to remove all domains relative to that IP (ofc a named restart would be needed).

I think a script can be done for this (should not be that hard) so you can remove domain linked to an IP from slaves.conf and relative domain.tld.db files

Hope this may help, if you need i can do that script, should be pretty easy

Regards
 
Great idea, Andrea!

When I'm ready to move forward (hopefully no more than a week or two) I may want to hire you to write the script to remove lines from slaves.conf, to delete the zone files. (I know it's not necessary to remove the zone files, but it keeps a system much cleaner over time), and to reload or restart DNS.

Jeff
 
To BIND, master and slave simply designate where the nameserver gets it's data. Working as a master server, that means the zone files must either be created on the local server or have been moved there by some other method than that included in BIND. when working as a slave, BIND will query the master with an axfr command, and get the entire zone from the server named as the master.

The same server itself acts as both a master and a slave, depending on the configured zone lines in the named.conf file.

Andrea and I (and lots of other folk as well) use our DirectAdmin servers as hidden masters; that means we don't advertise DNS pointing to them at all, but only to our slave servers, which is all we advertise. So from that point of view, what you might call our slave servers serve the same function as a master in responding to any wuery.

In fact, ISC, the developers of BIND, request that we don't even use the terms master nameserver and slave nameserver, but rather master records and slave records in our nameservers, since they can have both.

Jeff

So the setup i'd like is server A is DA hosting sites server B ns1 and server C ns2 running directslave when accounts added to A zones are transferred to B&C. Also that that when I add another DA server ie D that also sens zones to B&C. But I believe directslave only supports transfers from 1 DA server as config file only seems to allow one entry?

allow IP/32

auth admin:PASS
 
ahh didn't realise that so my above scenario should work? what is the config for defining multiple ips/logins?
 
Hello

I've found issue with DKIM records. Directadmin produce

x._domainkey 600 IN TXT ( "v=DKIM1; k=rsa; p= ...

but directslave create zone like:

x._domainkey 600 IN TXT ( "v=DKIM1 k=rsa p= ...

With missing semi-colon and broke DKIM validation. How to fix this?
 
I do use: DirectSlave Version: 2.2-beta (c) Roman Mazur 2012-2013


Maybe there is a bug in 1.3, maybe Roman will reply, but if you are interested, i'm not having any trouble with 2.2-beta

Regards
 
Back
Top