headers
Ronald Wiplinger | 12 Sep 2006 03:39
Favicon

How to allow zone transfer?

I have now one dns server running with mysql

How can I allow zone transfer to a dns without mysql?

/var/log/messages shows now:
Sep 12 09:31:39 dns named[24445]: transfer of 'xxx.com/IN' from 
xx.xx.xx.xx#53: failed while receiving responses: REFUSED
Sep 12 09:31:39 dns named[24445]: transfer of 'xxx.com/IN' from 
xx.xx.xx.xx#53: end of transfer

DNS server got in named.conf:
   dlz "Mysql zone" {
   database "mysql
   {host=127.0.0.1 dbname=xxx_dns_data ssl=false port=35306 user=xxx 
pass=shhshh}
   {select zone from dns_records where zone = '%zone%' limit 1}
   {select  ttl, type, mx_priority, case when lower(type)='txt' then 
concat('\"', data, '\"') when lower(type) = 'soa' then  concat_ws(' ', 
data, resp_person, serial, refresh, retry, expire, minimum) else data 
end as mydata from dns_records where zone = '%zone%' and host = '%record%'}
   {}
   {select  ttl, type, host, mx_priority, case when lower(type)='txt' 
then concat('\"', data, '\"') else data end as mydata, resp_person, 
serial, refresh, retry, expire, minimum from dns_records where zone = 
'%zone%'}
   {select zone from xfr_table where zone = '%zone%' and client = 
'%client%' limit 1}
   {update data_count set count = count + 1 where zone ='%zone%'}";
};
(Continue reading)

Permalink | Reply | 5 comments |
headers
Graeme Fowler | 12 Sep 2006 10:27

Re: How to allow zone transfer?

On 12/09/2006 02:39, Ronald Wiplinger wrote:
> I have now one dns server running with mysql
> How can I allow zone transfer to a dns without mysql?

The clue is in your SQL structure for the DLZ queries:

>    {select zone from xfr_table where zone = '%zone%' and client = 
> '%client%' limit 1}

Ensure you have a table in your DB called "xfr_table" with columns 
"zone" and "client". For the hosts you want to be able to do zone 
transfers, do:

INSERT INTO xfr_table VALUES("*","192.168.1.100");

That example will allow 192.168.1.100 to do zone transfers of all zones. 
You can tune it as follows (some more examples):

# Allow 192.168.1.0/24 hosts to transfer .com domains:
INSERT INTO xfr_table VALUES(".com","192.168.1.");

# Allow 192.168.1.100 to transfer domain.com:
INSERT INTO xfr_table VALUES("domain.com","192.168.1.100");

...and so on, and so forth. Be careful with your wildcarding - remember 
that *, % and so on can mean different things to different backends.

Graeme

-------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 4 comments |
headers
Ronald Wiplinger | 12 Sep 2006 17:08
Favicon

Re: How to allow zone transfer?

Graeme Fowler wrote:
> On 12/09/2006 02:39, Ronald Wiplinger wrote:
>   
>> I have now one dns server running with mysql
>> How can I allow zone transfer to a dns without mysql?
>>     
>
> The clue is in your SQL structure for the DLZ queries:
>
>   
>>    {select zone from xfr_table where zone = '%zone%' and client = 
>> '%client%' limit 1}
>>     
>
> Ensure you have a table in your DB called "xfr_table" with columns 
> "zone" and "client". For the hosts you want to be able to do zone 
> transfers, do:
>
> INSERT INTO xfr_table VALUES("*","192.168.1.100");
>   

Thanks for your help.

I inserted the line with the secondary's ip address. Than I reloaded 
both dns and still get on the slave dns:
Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
xx.xx.xx.xx#53: failed while receiving responses: REFUSED
Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
xx.xx.xx.xx#53: end of transfer
(Continue reading)

Permalink | Reply | 3 comments |
headers
Graeme Fowler | 12 Sep 2006 18:21

Re: How to allow zone transfer?

On 12/09/2006 16:08, Ronald Wiplinger wrote:
> I inserted the line with the secondary's ip address. Than I reloaded 
> both dns and still get on the slave dns:
> Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
> xx.xx.xx.xx#53: failed while receiving responses: REFUSED
> Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
> xx.xx.xx.xx#53: end of transfer

Aha. [cough]

You need to massage your SQL query a bit to make it match properly:

  {select zone from xfr_table where (zone = '%zone%' or zone='*') and 
client = '%client%'}

That way, if (( the zone matches it returns true, or if it matches the * 
it returns true ) AND ( the client matches it returns true )). The 
client is then permitted to transfer.

Graeme

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 2 comments |
headers
Ronald Wiplinger | 13 Sep 2006 12:29
Favicon

Re: How to allow zone transfer?

Graeme Fowler wrote:
> On 12/09/2006 16:08, Ronald Wiplinger wrote:
>   
>> I inserted the line with the secondary's ip address. Than I reloaded 
>> both dns and still get on the slave dns:
>> Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
>> xx.xx.xx.xx#53: failed while receiving responses: REFUSED
>> Sep 12 23:02:54 dns named[24445]: transfer of 'xxx.com/IN' from 
>> xx.xx.xx.xx#53: end of transfer
>>     
>
> Aha. [cough]
>
> You need to massage your SQL query a bit to make it match properly:
>
>   {select zone from xfr_table where (zone = '%zone%' or zone='*') and 
> client = '%client%'}
>
> That way, if (( the zone matches it returns true, or if it matches the * 
> it returns true ) AND ( the client matches it returns true )). The 
> client is then permitted to transfer.
>
> Graeme
>   

Thanks that worked!

I got an additional question.
If I change in the database some data, I need to initiate the zone 
transfer again.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Rob Butler | 13 Sep 2006 15:26
Picon
Favicon

Re: How to allow zone transfer?

Ronald,

If you update the SOA serial the zone transfer will
happen - eventually.  Your slave server will check the
master DLZ server's SOA serial after the SOA refresh
period has expired and if the serial is newer perform
the zone transfer.  So if your refresh is set for a
long period of time it will take a while before the
slave gets the update.  You could set the refresh time
in your SOA to a low value but that would just mean a
shorter delay between the updates.  If you want an
immediate update you need to send a DNS notify message
to the slave server.

Notify messages let the slave know it should check for
an update immediately.  You can send a notify message
using a variety of different command line tools or DNS
API's like the perl DNS module.  To make things
automatic you could implement a DB trigger that gets
called on update of the SOA serial to send a DNS
notify message.  If your DB doesn't support triggers
or you don't want to do things that way you could have
whatever application you are using to manage your data
send the notify message instead.  Of course be sure to
properly configure your slave server to receive
notifications and only allow notifications to come
from you.  Explaining how to do all of this is beyond
the scope of something that can be explained by
e-mail.  So do a little research on Google and you
should find all the information you need.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mark Richardson (UNTRUSTED, sender is | 15 Sep 2006 00:18
Picon

BDBHPT database layout ..

Hi,

Because the dns_data database for BDBHPT has DB_DUP and DB_DUPSORT properties 
set (as per the example I posted earlier at least), and I can't really find 
how these are sorted (or how this can be manipulated) in the docs for the 
perl BerkeleyDB module..

Is there an optimal sequence in which the records with key "domain.tld  <at> " 
(soa/ns/mx records) should be stored in the BDB ?

also .. is there no other db layout possible with the same performance level 
using unique keys? I haven't looked into this at all but I was just wondering 
as maintaining duplicate keys is less trivial then working with unique keys 
for obvious reasons, dunno if the reasons are that obvious performance wise 
and I just fail to see that :-) ?

Thanks,

Mark. 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 3 comments |
headers
Rob Butler | 15 Sep 2006 03:13
Picon
Favicon

Re: BDBHPT database layout ..

Hi Mark,

I don't know if there is a more optimal order for the
keys.  I let BDB handle the sort order as DLZ just
wants to look the data up.  I figure BDB's built in
sorting algorithm has to be fairly efficient.  Go
ahead and experiment if you like.

BDBHPT is a vast performance improvement over the
original BDB driver, which used secondary related DB's
and the like for easier management.  Basically you can
have performance or ease of management, but not both.

BDB is probably the fastest mutable DB storage
mechanism available.  Something like CDB (Constant DB)
may be slightly faster, I don't know.  The only thing
that will be significantly faster is storing
everything in memory - which is default Bind.  BDB
provides good memory caching of the on disk data which
is why its performance is so good.  Anything that is
an external process for managing data (like any SQL,
LDAP, etc DB) is going to be much slower because of
the inter-process communication overhead.  So that's
pretty much all the choices there are.

Hope that helped and made some sense.
Later
Rob

--- "Mark Richardson <mark <at> mrichardson.mine.nu> wrote:
(Continue reading)

Permalink | Reply | 2 comments |
headers
Aleksandr Ivanov | 15 Sep 2006 10:21
Picon

strange problem with DLZ

Hi,

I have strange problem with DLZ...

My conf:
-------------------------------------------------named.conf---------------------------------------------------------
dlz "postgres zone" {
   database "postgres 4
   {host=/var/run/postgresql dbname=dns_data user=bind}
   {select zone from dns_records where zone = '%zone%' limit 1}
   {select ttl, type, mx_priority, case when lower(type)='soa' then data || ' ' || resp_person || ' '
         || serial || ' ' || refresh || ' ' || retry || ' ' || expire || ' ' || minimum
         else data end from dns_records where zone = '%zone%' and host = '%record%'}
   {}
   {select ttl, type, host, mx_priority, data, resp_person, serial, refresh, retry, expire,
        minimum from dns_records where zone = '%zone%'}
   {select zone from xfr_table where zone = '%zone%' and client = '%client%'}";
};
------------------------------------------------------------------------------------------------------------------------
-------------------------------------------table structure----------------------------------------------------------------
dns_data=# \d dns_records
    Table "public.dns_records"
   Column    |  Type   | Modifiers
-------------+---------+-----------
 zone        | text    |
 host        | text    |
 ttl         | text    |
 type        | text    |
 mx_priority | integer |
 data        | text    |
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Richardson | 15 Sep 2006 11:17
Picon

Re: BDBHPT database layout ..

Hi,

Well I think with the current layout it all depends on how the db is queried 
by dlz if there are performance impacts concerned with having unique keys in 
de dns_data bdb..

I think in the current setup when for instance an mx record is asked for all 
the soa/ns/mx records for that domain are returned, and the driver would have 
to find the right value after that (one or more mx records).
This would yield one query to the bdb and some internal processing by the 
driver.

Would there be a unique key say for instance "domain.tld mx" there would be 
one or more mx records returned in one query, but no filtering would need to 
be done in the driver as all returned values are of type mx which is what was 
asked.

When querying for a soa record the query for the duplicate key "domain.tld  <at> " 
would yield all relevant information at once (except for the relevant A 
records that is), where the unique keys would yield 3 queries for soa/mx/ns 
type records and would perhaps need some internal sorting to return them in 
the right order (I guess I did not look at the code, also the data could be 
retrieved in the right order and perhaps only sorted on mx priority).

As you know the internals of the driver better than me (I assume) do you think 
one way is more or less fast then the others, and perhaps under what 
circumstances (server that gets a lot of mx requests?).
Has this been taken in consideration at all while profiling the driver ?

Is there any internal sorting done on the returned dataset in the bdbhpt
(Continue reading)

Permalink | Reply | 1 comment |

Gmane