Wednesday, December 15, 2010

Debian Slave DNS Server Setup

The setup of Slave (Secondary) DNS Server is pretty easy. You need to follow two previous posts of setting up a simple DNS server and chroot bind9.

Master (Primary) DNS Server

  1. Add the following to /etc/bind/named.conf.options
    dnssec-enable yes;
    
  2. Generate MD5 hash key:
    dnssec-keygen -r /dev/urandom -a hmac-md5 \
     -b 256 -n host rndc ; cat Krndc.*.private \
     | grep Key ; rm Krndc*
    
    Here is output:
    Key: 9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=
    
  3. Add the following (replace md5 key with the one you generated) to a new file /etc/bind/transfer.key
    key TRANSFER {
            algorithm hmac-md5;
            secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
    };
    
  4. Secure key:
    chmod o-r /etc/bind/transfer.key
    
  5. Add the following to a new file /etc/bind/named.conf.transfer
    include "/etc/bind/transfer.key";
    
    // Slave IP Address
    server 192.168.10.3 {
            keys {
            TRANSFER;
        };
    };
    
  6. Add the following to file /etc/bind/named.conf
    include "/etc/bind/named.conf.transfer";
    

Slave (Secondary) DNS Server

  1. Add the following to /etc/bind/named.conf.options
    dnssec-enable yes;
    
  2. Add the following (replace md5 key with the one you generated) to file /etc/bind/transfer.key
    key TRANSFER {
            algorithm hmac-md5;
            secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
    };
    
  3. Secure key:
    chmod o-r /etc/bind/transfer.key
    
  4. Add the following to file /etc/bind/named.conf.transfer
    include "/etc/bind/transfer.key";
    
    // Master IP Address
    server 192.168.10.2 {
            keys {
            TRANSFER;
        };
    };
    
  5. Add the following to file /etc/bind/named.conf
    include "/etc/bind/named.conf.transfer";
    
  6. Specify slave zones in file /etc/bind/named.conf.local:
    zone "dev.local" IN {
           type slave;
           file "/etc/bind/db.dev.local";
           masters { 192.168.10.2; };
           allow-notify { 192.168.10.2; };
    };
    
    zone "10.168.192.IN-ADDR.ARPA" IN {
           type slave;
           file "/etc/bind/db.10.168.192";
           masters { 192.168.10.2; };
           allow-notify { 192.168.10.2; };
    };
    
  7. Copy forwards to slave (file /etc/bind/named.conf.forward):
    zone "corp.local" IN {
           type forward;
           forwarders { 192.168.11.2; 192.168.11.3; };
    };
    
  8. Ensure bind:bind is the owner of the configuration so it can update the files received from master.
    chown -R bind:bind /var/chroot/bind9/etc/*
    
In order to keep both servers in sync, setup ntpdate (on master and slave dns servers):
root@ns2:/etc/bind# apt-get install ntpdate
...
root@ns2:/etc/bind# ntpdate pool.ntp.org
Now you can restart bind9 on both servers and ensure that slave received zone files.

Troubleshooting

Have a look at system log file (/var/log/syslog) for any errors reported by named. If you will see something telling you permission denied while dumping a file, ensure bind:bind is the owner as following:
chown -R bind:bind /var/chroot/bind9/etc/*
/etc/init.d/bind9 restart
ls -l /ent/bind/db.*

3 comments :

  1. hello i have tried to set this up but keep getting the following errors on my newly created slave see below for errors. Alos i do not see anything in the logs on my master

    PS the slave is firewalled and NATed however i have forwarded 53 threw the firewall to the correct 192.168.1.201 interal NATed address

    errors on slave
    Apr 7 16:59:31 mercury named[1906]: zone redwingshoes.ca/IN/external: Transfer started.
    Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: connected using 192.168.1.201#51939
    Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: failed while receiving responses: NOTAUTH
    Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.080 secs (0 bytes/sec)

    ReplyDelete
  2. Are you sure that you need to chown exactly : /var/chroot/bind9/etc/* , on the secondary DNS ?

    ReplyDelete
    Replies
    1. The only directory under /var/chroot/bind9/etc is 'bind' so you should be fine.

      Delete