17.2 Configuring Additional Backup Slave and Caching-Only Name Servers Having a single name server on a network is never a good idea because you immediately have a Single Point Of Failure (SPOF). In fact, when setting up a registered domain, if you are specifying your own name servers, you need to supply at least two name servers, at least one of which will probably be a backup or slave server. A slave server has resource records, which it receives initially from the master server. There is an option for a slave server to keep those resource records in local files. This will speed up the time it takes the slave to get up and running instead of performing a zone transfer from the master every time it starts up. This is my preferred option, because it doesn't take much to promote a slave server to a master server if you have the database files already located on the slave. The configuration files we need for the slave servers are already located on the master. We created them with the “zZ options in the master's parameter file. The files I am interested in are the conf* files:
root@hpeos004[dns] ll total 56 -rw------- 1 root sys 111 Oct 21 15:26 Krndc.+157+65409.key -rw------- 1 root sys 145 Oct 21 15:26 Krndc.+157+65409.private -rw-rw-r-- 1 root sys 146 Oct 20 15:54 boot.cacheonly -rw-rw-r-- 1 root sys 296 Oct 20 17:49 boot.sec -rw-rw-r-- 1 root sys 328 Oct 20 17:49 boot.sec.save -rw-rw-r-- 1 root sys 180 Oct 20 17:49 conf.cacheonly -rw-rw-r-- 1 root sys 457 Oct 20 17:49 conf.sec -rw-rw-r-- 1 root sys 498 Oct 20 17:49 conf.sec.save -rw-rw-r-- 1 root sys 277 Oct 20 15:54 db.127.0.0 -rw-rw-r-- 1 root sys 2138 Oct 20 17:49 db.192.168 -rw-rw-r-- 1 root sys 1361 Oct 20 17:49 db.IP6.INT -rw-rw-r-- 1 root sys 2499 Oct 20 15:54 db.cache -rw-rw-r-- 1 root sys 6884 Oct 20 17:49 db.maabof -rw-rw-r-- 1 root sys 247 Oct 20 15:54 named.boot -rw-r--r-- 1 root root 140 Oct 21 08:55 named.stats -rw-rw-r-- 1 root sys 108 Oct 20 15:46 param.conf root@hpeos004[dns]
17.2.1 Setting up a slave server The conf.sec and conf.sec.save files should be the same, except the conf.sec.save files specifies a filename in the zone definition allowing the slave to store the resource records in a disk file:
root@hpeos004[dns] cat conf.sec.save # # type domain source file # options { directory "/etc/dns"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "IP6.INT" { type slave; file "db.IP6.INT"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "maabof.com" { type slave; file "db.maabof"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "168.192.IN-ADDR.ARPA" { type slave; file "db.192.168"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "." { type hint; file "db.cache"; }; root@hpeos004[dns]
I need to copy this file onto my slave server along with the file db.127.0.0 and db.cache . It makes sense to use the same running directory /etc/dns :
root@hpeos002[dns] # ll total 4 -rw-rw-r-- 1 root sys 498 Oct 22 02:16 conf.sec.save -rw-rw-r-- 1 root sys 277 Oct 22 02:16 db.127.0.0 -rw-rw-r-- 1 root sys 134 Oct 22 02:16 db.cache root@hpeos002[dns] #
I am going to set up TSIG keys as we did on the master:
root@hpeos002[dns] # dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/random rndc Krndc.+157+23025 root@hpeos002[dns] # ll K* -rw------- 1 root sys 111 Oct 22 02:18 Krndc.+157+23025.key -rw------- 1 root sys 145 Oct 22 02:18 Krndc.+157+23025.private root@hpeos002[dns] #
I will update the conf.sec.save file with the key and controls directives as I did on the master. Once it's complete, I will rename this file /etc/named.conf . I need to remember to set up the /etc/rndc.conf file as well:
root@hpeos002[dns] # cat /etc/named.conf # # type domain source file # options { directory "/etc/dns"; listen-on { any; }; listen-on-v6 { any; }; random-device "/dev/random"; }; key TSIGkey { algorithm "hmac-md5"; secret "GqiPdwKUww6VdZoJFmYSR8bFlQEuwtZL5PQ6UwCs39n  /maNFpBCZPu8QJmL8Ncpad5g4HlSCHNh4QYNDISs0zg=="; }; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { TSIGkey; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "IP6.INT" { type slave; file "db.IP6.INT"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "maabof.com" { type slave; file "db.maabof"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "168.192.IN-ADDR.ARPA" { type slave; file "db.192.168"; masters { 192.168.0.35; 192.168.0.66; }; }; zone "." { type hint; file "db.cache"; }; root@hpeos002[dns] # root@hpeos002[dns] # named-checkconf root@hpeos002[dns] # root@hpeos002[dns] # cat /etc/rndc.conf options { default-server localhost; default-key TSIGkey; }; server localhost { key TSIGkey; }; key TSIGkey { algorithm "hmac-md5"; secret "GqiPdwKUww6VdZoJFmYSR8bFlQEuwtZL5PQ6UwCs39n /maNFpBCZPu8QJmL8Ncpad5g4HlSCHNh4QYNDISs0zg=="; }; root@hpeos002[dns] #
I will check for the existence of the /dev/ip6 device that plagued my efforts to start up the named daemon on my master server.
root@hpeos002[dns] # ll /dev/ip6 crw-rw-rw- 1 root root 72 0x00003a Oct 21 18:58 /dev/ip6 root@hpeos002[dns] # mv /dev/ip6 /dev/ip6.old root@hpeos002[dns] #
This should have sorted out that problem. When I start up the named daemon, a zone transfer should start whereby the slave will receive all the resource records and store them in local files. This may take a few minutes to complete, depending on the speed of the network, the speed of the machines, and the number of queries being sent to the master currently.
root@hpeos002[dns] # vi /etc/rc.config.d/namesvrs unset UNIX95 PRE_U95=true;export PRE_U95; ############################################## # named (BIND) configuration. See named(1m). # ############################################## # # Name server using the Domain Name System (DNS) protocol (RFC 1034/1035) # # @(#)B.11.11_LR # # NAMED: Set to 1 to start nameserver daemon. # NAMED_ARGS: Arguments to the nameserver daemon # # Configuration of a named boot file (e.g., /etc/named.boot) is needed # for successful operation of the name server. # NAMED=1 NAMED_ARGS="" ... root@hpeos002[dns] # /sbin/init.d/named start named root@hpeos002[dns] #
I will check that named started up okay, ensuring that it is listening on all the appropriate interfaces:
root@hpeos002[dns] # more /var/adm/syslog/netdaemon.log ... Oct 22 02:11:50 hpeos002 named[4287]: starting BIND 9.2.0 Oct 22 02:11:50 hpeos002 named[4287]: using 1 CPU Oct 22 02:11:50 hpeos002 named[4287]: loading configuration from '/etc/named.conf' Oct 22 02:11:50 hpeos002 named[4287]: no IPv6 interfaces found Oct 22 02:11:50 hpeos002 named[4287]: listening on IPv4 interface lan0, 192.168.0.34#53 Oct 22 02:11:50 hpeos002 named[4287]: listening on IPv4 interface lo0, 127.0.0.1#53 Oct 22 02:11:51 hpeos002 named[4287]: command channel listening on 127.0.0.1#953 Oct 22 02:11:51 hpeos002 named[4287]: zone 0.0.127.IN-ADDR.ARPA/IN: loaded serial 1 Oct 22 02:11:51 hpeos002 named[4287]: zone 168.192.IN-ADDR.ARPA/IN: loaded serial 1 Oct 22 02:11:51 hpeos002 named[4287]: zone maabof.com/IN: loaded serial 1 Oct 22 02:11:51 hpeos002 named[4287]: zone IP6.INT/IN: loaded serial 1 Oct 22 02:11:51 hpeos002 named[4287]: running Oct 22 02:11:51 hpeos002 named[4287]: zone 168.192.IN-ADDR.ARPA/IN: sending notifies (serial 1) Oct 22 02:11:51 hpeos002 named[4287]: zone maabof.com/IN: sending notifies (serial 1) Oct 22 02:11:51 hpeos002 named[4287]: zone IP6.INT/IN: sending notifies (serial 1) Oct 22 02:11:51 hpeos002 named[4287]: zone 168.192.IN-ADDR.ARPA/IN: transfered serial 2 Oct 22 02:11:51 hpeos002 named[4287]: transfer of '168.192.IN-ADDR.ARPA/IN' from 192.168.0 .35#53: end of transfer Oct 22 02:11:51 hpeos002 named[4287]: zone 168.192.IN-ADDR.ARPA/IN: sending notifies (serial 2) Oct 22 02:11:52 hpeos002 named[4287]: zone maabof.com/IN: transfered serial 2 Oct 22 02:11:52 hpeos002 named[4287]: transfer of 'maabof.com/IN' from 192.168.0.35#53: end of transfer Oct 22 02:11:52 hpeos002 named[4287]: zone maabof.com/IN: sending notifies (serial 2) Oct 22 02:11:52 hpeos002 named[4287]: zone IP6.INT/IN: transfered serial 2 Oct 22 02:11:52 hpeos002 named[4287]: transfer of 'IP6.INT/IN' from 192.168.0.35#53: end of transfer Oct 22 02:11:52 hpeos002 named[4287]: zone IP6.INT/IN: sending notifies (serial 2) root@hpeos002[dns] #
The zone transfer should have taken place:
root@hpeos002[dns] # root@hpeos002[dns] # ll total 34 -rw------- 1 root sys 111 Oct 22 02:18 Krndc.+157+23025.key -rw------- 1 root sys 145 Oct 22 02:18 Krndc.+157+23025.private -rw-rw-r-- 1 root sys 277 Oct 22 02:16 db.127.0.0 -rw------- 1 root sys 2138 Oct 22 02:30 db.192.168 -rw------- 1 root sys 1361 Oct 22 02:30 db.IP6.INT -rw-rw-r-- 1 root sys 2499 Oct 22 02:16 db.cache -rw------- 1 root sys 6884 Oct 22 02:30 db.maabof root@hpeos002[dns] #
NOTE : At this time, it may be prudent to update all clients on the network to reference the slave server so that we can, if necessary, take down the master server without affecting resolver capabilities :
root@hpeos002[dns] # cat /etc/resolv.conf domain maabof.com search maabof.com nameserver 192.168.0.34 # slave nameserver 192.168.0.35 # master root@hpeos002[dns] # root@hpeos002[dns] # cat /etc/nsswitch.conf ipnodes: dns [ NOTFOUND=continue ] files hosts: dns [ NOTFOUND=continue ] files root@hpeos002[dns] # root@hpeos002[dns] # nsquery hosts frog001 Using "dns [ NOTFOUND=continue ] files" for the hosts policy. Searching dns for frog001 Hostname: frog001.maabof.com Aliases: Address: 192.168.0.1 Switch configuration: Terminates Search root@hpeos002[dns] #
17.2.1.1 EFFECTS A SLAVE CAN HAVE ON THE MASTER SERVER This slave server is now authoritative for the domain maabof.com . When we registered this domain, we had to supply the names and IP addresses of at least two name servers. If we knew this up front, it would have made a difference to the parameter file /etc/dns/param.conf that we created on the master server. I have left out this part of the configuration until now. In the database files we created, there is only one NS (name server) record for this domain when, in fact, there are at least two servers that are authoritative.
root@hpeos004[dns] more db.maabof $TTL 86400 @ IN SOA hpeos004.maabof.com. root.hpeos004.maabof.com. ( 1 ; Serial 10800 ; Refresh every 3 hours 3600 ; Retry every hour 604800 ; Expire after a week 86400 ) ; Minimum ttl of 1 day IN NS hpeos004.maabof.com . localhost IN A 127.0.0.1 hpeos001 IN A 192.168.0.67 ... root@hpeos004[dns]
We need to register only two servers with the Internet authorities. It is these servers that will receive queries from sources external to our domain. We can have many more slave servers within our domain, possibly to alleviate the pressure from our two official servers. We can list in our param.conf file all servers that are authoritative for this zone. In this way, we will create database files that have an NS record referencing them all. Here's what my new param.conf file will look like on my master server:
root@hpeos004[dns] cat param.conf -d maabof.com -n 192.168 -Z 192.168.0.35 -Z 192.168.0.66 -z 192.168.0.35 -z 192.168.0.66 -m 10:hpeos003 -s hpeos004 -s hpeos002 -b /etc/named.conf root@hpeos004[dns]
All my authoritative servers are now listed. When I come to rebuild my database files, I will see both servers listed.
root@hpeos004[dns] hosts_to_named -f param.conf Translating /etc/hosts to lower case ... Collecting network data ... 192.168 Creating list of multi-homed hosts ... Creating "A" data (name to address mapping) for net 192.168 ... Creating "PTR" data (address to name mapping) for net 192.168 ... Creating "MX" (mail exchanger) data ... Building default boot.sec.save for secondary servers ... Building default boot.sec for secondary servers ... done root@hpeos004[dns] root@hpeos004[dns] more db.192.168 $TTL 86400 @ IN SOA hpeos004.maabof.com. root.hpeos004.maabof.com. ( 2 ; Serial 10800 ; Refresh every 3 hours 3600 ; Retry every hour 604800 ; Expire after a week 86400 ) ; Minimum ttl of 1 day IN NS hpeos004.maabof.com. IN NS hpeos002.maabof.com. 67.0 IN PTR hpeos001.maabof.com. 34.0 IN PTR hpeos002.maabof.com. 65.0 IN PTR hpeos003.maabof.com. 33.0 IN PTR hpeos003.maabof.com. 35.0 IN PTR hpeos004.maabof.com. 66.0 IN PTR hpeos004.maabof.com. 67.0 IN PTR hpeos001.maabof.com. 34.0 IN PTR hpeos002.maabof.com. 65.0 IN PTR hpeos003.maabof.com. 33.0 IN PTR hpeos003.maabof.com. 35.0 IN PTR hpeos004.maabof.com. 66.0 IN PTR hpeos004.maabof.com. ... root@hpeos004[dns]
Now we just need to reload the named daemon on both machines with the new database files. (I will use the good old-fashioned sig_named command. You could find an option to rndc to do this.)
root@hpeos004[dns] sig_named restart Name server restarted root@hpeos004[dns] ... root@hpeos002[dns] sig_named restart Name server restarted root@hpeos002[dns]
Now we can see that both servers are listed with an NS record. Now we can say that hpeos002 is authoritative for this zone:
root@hpeos002[dns] # dig maabof.com NS ; <<>> DiG named 9.2.0 <<>> maabof.com NS ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22690 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 15 ;; QUESTION SECTION: ;maabof.com. IN NS ;; ANSWER SECTION: maabof.com. 86400 IN NS hpeos004.maabof.com. maabof.com. 86400 IN NS hpeos002.maabof.com. ;; ADDITIONAL SECTION: hpeos002.maabof.com. 86400 IN A 192.168.0.34 hpeos002.maabof.com. 86400 IN A6 0 fec0:0:0:2::3 hpeos002.maabof.com. 86400 IN A6 0 fe80::a00:9ff:fec2:69c6 hpeos002.maabof.com. 86400 IN AAAA fec0:0:0:2::3 hpeos002.maabof.com. 86400 IN AAAA fe80::a00:9ff:fec2:69c6 hpeos004.maabof.com. 86400 IN A 192.168.0.35 hpeos004.maabof.com. 86400 IN A 192.168.0.66 hpeos004.maabof.com. 86400 IN A6 0 fec0:0:0:1::2 hpeos004.maabof.com. 86400 IN A6 0 fec0:0:0:2::2 hpeos004.maabof.com. 86400 IN A6 0 fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com. 86400 IN A6 0 fe80::a00:9ff:febb:bbbb hpeos004.maabof.com. 86400 IN AAAA fec0:0:0:1::2 hpeos004.maabof.com. 86400 IN AAAA fec0:0:0:2::2 hpeos004.maabof.com. 86400 IN AAAA fe80::230:6eff:fe5c:4f4f hpeos004.maabof.com. 86400 IN AAAA fe80::a00:9ff:febb:bbbb ;; Query time: 112 msec ;; SERVER: 192.168.0.34#53(192.168.0.34) ;; WHEN: Tue Oct 22 02:52:32 2003 ;; MSG SIZE rcvd: 464 root@hpeos002[dns] #
The changes I made to the database files could have been performed by hand as long as I remembered to update the Serial number to signify that a change has occurred and ensure that I updated all the database files:
root@hpeos002[dns] # more db.IP6.INT $ORIGIN . $TTL 86400 ; 1 day IP6.INT IN SOA hpeos004.maabof.com. root.hpeos004.maabof.com. ( 2 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS hpeos002.maabof.com. NS hpeos004.maabof.com. $ORIGIN IP6.INT. $ORIGIN e.f.IP6.INT. $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. $ORIGIN e.f.f.f.e.6.0.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. 0.f.b.7.6.4 PTR hpeos003.maabof.com. $ORIGIN c.5.e.f.f.f.e.6.0.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. 8.f.f.3 PTR hpeos003.maabof.com. f.4.f.4 PTR hpeos004.maabof.com. $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. $ORIGIN e.f.f.f.9.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. $ORIGIN b.e.f.f.f.9.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.IP6.INT. b.1.4.8.a PTR hpeos001.maabof.com. .. root@hpeos002[dns] #
17.2.2 Setting up a caching only slave This type of server will not load any zone records from the master but will simply build up a cache of resource records whenever it is asked to resolve a query. Consequently, the named.conf file is simple; we use the conf.cacheonly file from the master server:
root@hpeos004[dns] cat conf.cacheonly # # type domain source file # options { directory "/etc/dns"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "." { type hint; file "db.cache"; }; root@hpeos004[dns]
We would take these files, the db.cache file and the db.127.0.0 file, onto our caching-only server and then start named as before. Whenever a query was made, the caching-only server would have no other choice but to query a root name server and eventually be bounced down to our own master/slave servers themselves . | 