[olug] setting up a mirror (slave?) DNS server?

Sean Kelly smkelly at zombie.org
Wed Sep 20 21:23:28 UTC 2006 

On Wed, Sep 20, 2006 at 04:12:23PM -0500, Ryan Stille wrote:
> How many zones?  Probably around 150 right now.  Adding 1-2 a month.

Holy cow. What are you doing?

> Yes I would like to have it up and running all the time, ready to 
> resolve if asked to.  If the primary goes down the plan is to alias the 
> IP from that server onto the new one.
> 
> I don't want to have to setup each new zone on this server, I need it to 
> be transparent.  If I have to I will just ftp over named.conf and all 
> the related zone files.

Why bother copying over the zone files at all? Ship over named.conf every
15 minutes or so. If the named.conf shipped over differs from the one that
is already there, put the new one in place and have BIND reload. It will
then go out and ask for a zone transfer for all the zones it is supposed to
secondary for. Okay, you can't do a direct named.conf copy, but you can
make a little perl script to look for
     zone "xyzzy.com" {
lines and replace them with equivelent blocks for a secondary server.

This allows BIND to do incremental transfers and everything that it'd
normally do, since you won't be mashing over its zone files and journals.

> Not sure how well this will work, because I'm sure the new server will be
> running a more recent version of BIND.  A > better way may be to have a perl script 
> scan through the named.conf file on the primary and generate a proper named.conf
> file to FTP to the new > server.

Right. And have that generated named.conf have proper zone {} blocks for a
secondary server. Then let BIND take care of the rest.

> Related question - in looking through the BIND packages available for 
> install, there's a regular bind one and then a bind-chroot one.  What 
> the general consensus on running chrooted bind?  Always a good idea?  or 
> not really necessary?

Well... There is what you should do and there is what I do. If you can, I
would put it in a chroot. It looks like FreeBSD chroots it by default now
out of the box.

> Sean Kelly wrote:
> > BIND does per-zone configuration. There is no setting to have it secondary
> > all zones. There is no query in the DNS protocol that would allow the secondary
> > server to get a list of all domains hosted by the primary server. The best
> > it can do is request a full or incremental transfer of a specific zone.
> > This is why you must configure each zone manually.
> >
> > My question to you is whether you want this new nameserver to only run when
> > the other one is down or broken, or do you want it to run all the time? DNS
> > is designed to support multiple servers in case one is dead, so it would
> > make sense to me to set them up like this:
> >
> >  * Primary 
> >  * Secondary
> >  * New server you're setting up
> >
> > In such a configuration, really the only good way to set this up would be
> > to do the per-zone configuration you seem to already be familiar with. That
> > would allow you to reliably support incremental zone transfers and updates
> > across all your servers.
> >
> > How many zones are you working with here?
> >
> > On Wed, Sep 20, 2006 at 03:10:11PM -0500, Ryan Stille wrote:
> >   
> >> We currently have BIND running on one of our servers.  Its a primary 
> >> name server for us, and a secondary for a partner of ours (and they are 
> >> our secondary).
> >>
> >> I'd like to setup BIND on another server here that would basically be a 
> >> mirror of ours, ready to be used if ours fails.  Whats the best way to 
> >> go about this?  I could FTP all the named files over once an hour or 
> >> whatever.  But I was thinking there should be a way to use the 
> >> master/slave functionality to have the new server just slurp all the 
> >> data from our master server automagically?  (if thats true why do I need 
> >> to always add my new zones to named.conf on our secondary server?)  Any 
> >> suggestions or URLs welcome.
> >>
> >> Thanks,
> >> -Ryan
> >>
> >> _______________________________________________
> >> OLUG mailing list
> >> OLUG at olug.org
> >> http://lists.olug.org/mailman/listinfo/olug
> >>     
> >
> >   
> 
> 
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug

-- 
Sean Kelly          | PGP KeyID: D2E5E296
smkelly at smkelly.org | http://www.smkelly.org

More information about the OLUG mailing list