New to BIND - Setting up slaveserver

[michoski]

On 5/7/12 1:02 PM, "James Sheffer" <James at higherpowered.com> wrote:
> We have been running name servers using QDNS (Mac) for eons but now I want to
> change that.

welcome to bind.

> I still have "NS1" (Master) set up and running with QDNS.  It is also set to
> be the master for "NS2" so that shouldn't need changing (I hope, although NS1
> is running BIND 4.x and the new NS2 "Slave" will be running the latest build
> of BIND 9).

it has been many years since i touched 4.x...it should be fine with newer
bind versions as slaves, but you might end up needing some additional
tweaking to get it all working.

if possible i'd really suggest setting up an ip alias on your existing
master and run bind 9.x on that...then cut-over to the updated bind
infrastructure once you're confident it's working.  4.x is so ancient at
this point i hate to see it actively used!

> I've read up on almost everything I could find, gone through my BIND book (DNS
> & BIND) and have a pretty good understanding of the basic zone file setups.
> What I'm not sure about is setting up my named.conf file for the Slave.

i'm probably biased, but i think the example conf here may be useful:

http://www.cymru.com/Documents/secure-bind-template.html

> My first question is about my options.  For now, I want to "receive" transfers
> from my Master server.  I may want to disallow the NS2 from transferring
> requests for outside domains (It appears this is a good idea?) but for now
> (testing) I don't want to do that.  Does this look correct for a basic Slave
> server's options?:
> PS - I'm not sure on syntax - should the "allow-update" and "allow-transfer"
> statements be like they are with an extra ";" inside the curly brackets (It
> feels wrong but I keep seeing it )?

it's not that you have an extra semicolon inside the brackets but rather
each element is terminated with a semicolon...  this may help:

whatever-option {
    elementA;
    elementB;
    elementC;
};

> options {
> directory  "/var/named";
> allow-notify  {74.254.239.53 }; // Master IP Address
> // allow-transfer  {"none" ; };
> recursion yes;
> };
> 
> I have zones for the following:
> 
> Zone "." IN {
> type hint;
> file "named.ca";
> }
> Zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update ( none;  };
> };
> zone "239.254.74.in-addr.arpa" IN {
> type slave;
> file "slaves/74.254.239.54.rev";      // Slave address
> masters {74.254.239.53};     // Master address
> };
> 
> Then I set up the zones for the websites (about 40):
> 
> zone "higherpowered.com" IN {
> type slave;
> file "slaves/higherpowered.com";
> masters {74.254.239.53"};
> };

you may need to clean some spacing...  and you likely don't need
allow-notify to the master, since that's where changes will occur (it'll
already know about new data, and notify your slaves).

recursion may be needed for your internal clients, but you generally want it
in a private view or controlled by an acl (see secure template).

> When setting up new slave zones, is there anything else I have to do other
> than adding their zone "records" here in the named.conf?  Do the actual "zone"
> information files get written into the "slaves" directory according to the
> name I call them here, or do I have to include a blank file already named for
> each?

when you add a new domain you'd add a master stanza on your primary server,
then add zone definitions in named.conf of type slave for the secondaries,
which will in turn zone-transfer the data files from the specified
master(s).  they will indeed get written to the directory/file name(s) you
specify with file.

once you have a configuration you think is mostly correct, i suggest running
named-checkconf against it for helpful pointers on things that might need
work...as well as named-checkzone on your zone files.

good luck!

-- 
Men use thought only to justify their wrong doings,
and speech only to conceal their thoughts.
        -- Voltaire