BIND9 dynamic configuration sharing from a master
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jan 28 21:09:06 UTC 2004
/dev/rob0 wrote:
>Is there any means within BIND itself to share configuration changes at
>a master nameserver among slaves? The site I set up last week wants to
>block a blacklist of domains in DNS. I've got that all rigged up on the
>master, using an $INCLUDE in named.conf:
> $INCLUDE "/etc/named.blacklist";
>and a simple null zone file which sets SOA, NS and A records to the
>master, and then sets a similar "*" A record.
>
>I know I can rig this up manually quite easily, but I just wondered if
>there was a means to dynamically update a slave's configuration within
>BIND's own capabilities.
>
Nope. I've submitted an "autoslaving" patch, but it basically sank
without a trace.
One alternative method is to have a special zone, slaved by the entire
community of slaves, containing no leaf records except one TXT or PTR
record (_nota_bene_, PTR records can benefit from label compression)
naming each zone that should be slaved. Every time you add/delete a zone
to/from the master, add/delete the corresponding record to/from that
zone too. All of the slaves then have a cron job to check the "special"
zone and if it has changed, add and/or delete zones from their configs.
If one hosted the "special" zone on a separate nameserver instance, then
one could theoretically even use "views" to give out different lists to
different communities of slaves (one probably wouldn't want to do this
on the main master instance, since then one would have to repeat all of
those zone definitions in each view).
>#v+
> if \\! grep "$FEATURE" "$BIND_FEATURES" ; then
> echo "$FEATURE" >> "$BIND_WISHLIST"
> fi # to say it in sh ... :)
>#v-
>
>I think I *will* use named to signal the slave that an update is needed.
>I'll make a "dnsupdateconf" A record pointing to the master's IP, and
>set a TXT record with a timestamp of the last update. The TXT record
>will be cached on disk at the slave and compared against the output of
>"host -t TXT dnsupdateconf" in a cron job. If the TXT value changes, the
>slave retrieves /etc/named.blacklist from the master and "rndc reload".
>
>Has anyone else done something like this? Comments appreciated.
>
OK, that's kind of like the "special zone" method, except that you're
grabbing a whole include-file from the master instead of configuring
individual zones, and for change notification, you're periodically
grabbing a single DNS record instead of slaving a whole "special" zone.
One variation of the "special zone" method that comes closer to what you
are doing is for the cron script to issue IXFRs (requires a
suitably-modern version of "dig") instead of waiting for the zone
transfers to occur "naturally". One of the beauties of the "special
zone" method is that it doesn't require any non-DNS transfer mechanisms
or the establishment of trust relationships for same. So it works well
across trust boundaries (e.g. firewalls) and/or multiple levels of slaves.
- Kevin
More information about the bind-users
mailing list