BIND9 dynamic configuration sharing from a master

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 28 21:09:06 UTC 2004 

/dev/rob0 wrote:

>Is there any means within BIND itself to share configuration changes at
>a master nameserver among slaves? The site I set up last week wants to
>block a blacklist of domains in DNS. I've got that all rigged up on the
>master, using an $INCLUDE in named.conf:
>    $INCLUDE "/etc/named.blacklist";
>and a simple null zone file which sets SOA, NS and A records to the
>master, and then sets a similar "*" A record.
>
>I know I can rig this up manually quite easily, but I just wondered if
>there was a means to dynamically update a slave's configuration within
>BIND's own capabilities.
>
Nope. I've submitted an "autoslaving" patch, but it basically sank 
without a trace.

One alternative method is to have a special zone, slaved by the entire 
community of slaves, containing no leaf records except one TXT or PTR 
record (_nota_bene_, PTR records can benefit from label compression) 
naming each zone that should be slaved. Every time you add/delete a zone 
to/from the master, add/delete the corresponding record to/from that 
zone too. All of the slaves then have a cron job to check the "special" 
zone and if it has changed, add and/or delete zones from their configs. 
If one hosted the "special" zone on a separate nameserver instance, then 
one could theoretically even use "views" to give out different lists to 
different communities of slaves (one probably wouldn't want to do this 
on the main master instance, since then one would have to repeat all of 
those zone definitions in each view).

>#v+
>  if \\! grep "$FEATURE" "$BIND_FEATURES" ; then
>    echo "$FEATURE" >> "$BIND_WISHLIST"
>  fi # to say it in sh ... :)
>#v-
>
>I think I *will* use named to signal the slave that an update is needed.
>I'll make a "dnsupdateconf" A record pointing to the master's IP, and
>set a TXT record with a timestamp of the last update. The TXT record
>will be cached on disk at the slave and compared against the output of
>"host -t TXT dnsupdateconf" in a cron job. If the TXT value changes, the
>slave retrieves /etc/named.blacklist from the master and "rndc reload".
>
>Has anyone else done something like this? Comments appreciated.
>
OK, that's kind of like the "special zone" method, except that you're 
grabbing a whole include-file from the master instead of configuring 
individual zones, and for change notification, you're periodically 
grabbing a single DNS record instead of slaving a whole "special" zone. 
One variation of the "special zone" method that comes closer to what you 
are doing is for the cron script to issue IXFRs (requires a 
suitably-modern version of "dig") instead of waiting for the zone 
transfers to occur "naturally". One of the beauties of the "special 
zone" method is that it doesn't require any non-DNS transfer mechanisms 
or the establishment of trust relationships for same. So it works well 
across trust boundaries (e.g. firewalls) and/or multiple levels of slaves.

                                                                         
                                 - Kevin

More information about the bind-users mailing list