Home » Linux » Articles » djbdns and updating slave name servers

djbdns and updating slave name servers

Samat Jain - Wednesday, May 25, 2005 - 10:14 Tags:

One feature of BIND (and most DNS servers on the Internet) is the concept of “zone transfers.” Records are only updated on the primary server, and they propogate down the slaves.

I’m not going to go into the details but the way zone transfers works isn’t very good.

The DNS software suite I use on my servers, djbdns, does not support sending zones tranfers (at least not without installing another piece of djb software which I’d like to avoid).

So, how do I update my slave nameservers? djb recommends using something like SSH or rsync—but these tend to be cumbersome to use. I thought up a fairly easy (and secure) to perform the same function as zone transfers.

My primary nameserver is also a web server. Simply, publish the djbdns tinydns data file to a password-protected directory (I have mine on an SSL site) whenever records are updated. For example, in tinydns’s Makefile in it’s root directory:

data.cdb: data
    cp data /some/directory/that/is/web/accessible/and/protected/data
    /usr/local/bin/tinydns-data

Then, on each slave nameserver, edit their make files to download this file, something like so:

master-zones:
    wget --http-user=someuser --http-passwd=somepasswd https://example.com/somewhere/data -O master-zones

data.cdb: master-zones
    cat local-dns-data master-zones > data
    /usr/local/bin/tinydns-data

It’s easy. And it works. It’s trivial to make up a cron job on the slave servers to run the make file and re-download zones nightly.


‹ Creating a Slackware UML Root FSupGNU screen and SSH agent forwarding ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

djb and slave updates

Jon Beckham (not verified) - Wednesday, October 5, 2005 - 23:16

You are pretty high in google’s rankings for “tinydns uml rootfs”, which is how I found this post…

If you’re running ssh on the master (which I assume you are, if it’s a publicly accessible machine of some sort), then using ssh-keys and scp is a snap, and far less cumbersome (I guess IMO, but it’s definitely less to depend on than an https server w/ http auth on top). Wow, awful sentence, sorry I’m tired. :)

Generate a dedicated sshkey (passwordless) on the slave, put the public key on the master, and you could even go so far as to prepend the key on the master with the command you want run…

command=’cat /etc/tinydns/root/data’ ssh-rsa PUBKEYGIBBERISH…

Then, on the slave, ssh master > masterzones will get all the updates you want.

You’re no longer tied to running a webserver on your dns machine, and you have the same security benefits of a readonly interface.


» reply • report as spam

Wanted to avoid creating system accounts

Samat Jain - Thursday, October 6, 2005 - 10:54

I particularly wanted to avoid having to create system accounts for this kind of thing—just my personal preference.


» reply • report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use Markdown syntax to format and style the text.
  • Images can be added to this post.
  • You may use [inline:xx] tags to display uploaded files or images inline.
More information about formatting options