The setup of Slave (Secondary) DNS Server is pretty easy. You need to follow two previous posts of setting up a
simple DNS server and
chroot bind9.
Master (Primary) DNS Server
- Add the following to /etc/bind/named.conf.options
dnssec-enable yes;
- Generate MD5 hash key:
dnssec-keygen -r /dev/urandom -a hmac-md5 \
-b 256 -n host rndc ; cat Krndc.*.private \
| grep Key ; rm Krndc*
Here is output:
Key: 9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=
- Add the following (replace md5 key with the one you generated) to a new file /etc/bind/transfer.key
key TRANSFER {
algorithm hmac-md5;
secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
};
-
Secure key:
chmod o-r /etc/bind/transfer.key
- Add the following to a new file /etc/bind/named.conf.transfer
include "/etc/bind/transfer.key";
// Slave IP Address
server 192.168.10.3 {
keys {
TRANSFER;
};
};
- Add the following to file /etc/bind/named.conf
include "/etc/bind/named.conf.transfer";
Slave (Secondary) DNS Server
- Add the following to /etc/bind/named.conf.options
dnssec-enable yes;
- Add the following (replace md5 key with the one you generated) to file /etc/bind/transfer.key
key TRANSFER {
algorithm hmac-md5;
secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
};
-
Secure key:
chmod o-r /etc/bind/transfer.key
- Add the following to file /etc/bind/named.conf.transfer
include "/etc/bind/transfer.key";
// Master IP Address
server 192.168.10.2 {
keys {
TRANSFER;
};
};
- Add the following to file /etc/bind/named.conf
include "/etc/bind/named.conf.transfer";
- Specify slave zones in file /etc/bind/named.conf.local:
zone "dev.local" IN {
type slave;
file "/etc/bind/db.dev.local";
masters { 192.168.10.2; };
allow-notify { 192.168.10.2; };
};
zone "10.168.192.IN-ADDR.ARPA" IN {
type slave;
file "/etc/bind/db.10.168.192";
masters { 192.168.10.2; };
allow-notify { 192.168.10.2; };
};
- Copy forwards to slave (file /etc/bind/named.conf.forward):
zone "corp.local" IN {
type forward;
forwarders { 192.168.11.2; 192.168.11.3; };
};
- Ensure bind:bind is the owner of the configuration so it can update the files received from master.
chown -R bind:bind /var/chroot/bind9/etc/*
In order to keep both servers in sync, setup
ntpdate (on master and slave dns servers):
root@ns2:/etc/bind# apt-get install ntpdate
...
root@ns2:/etc/bind# ntpdate pool.ntp.org
Now you can restart bind9 on both servers and ensure that slave received zone files.
Troubleshooting
Have a look at system log file (
/var/log/syslog) for any errors reported by named. If you will see something telling you permission denied while dumping a file, ensure bind:bind is the owner as following:
chown -R bind:bind /var/chroot/bind9/etc/*
/etc/init.d/bind9 restart
ls -l /ent/bind/db.*
Posts
hello i have tried to set this up but keep getting the following errors on my newly created slave see below for errors. Alos i do not see anything in the logs on my master
ReplyDeletePS the slave is firewalled and NATed however i have forwarded 53 threw the firewall to the correct 192.168.1.201 interal NATed address
errors on slave
Apr 7 16:59:31 mercury named[1906]: zone redwingshoes.ca/IN/external: Transfer started.
Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: connected using 192.168.1.201#51939
Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: failed while receiving responses: NOTAUTH
Apr 7 16:59:32 mercury named[1906]: transfer of 'redwingshoes.ca/IN/external' from 204.244.122.132#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.080 secs (0 bytes/sec)
Are you sure that you need to chown exactly : /var/chroot/bind9/etc/* , on the secondary DNS ?
ReplyDeleteThe only directory under /var/chroot/bind9/etc is 'bind' so you should be fine.
Delete