[SATLUG] djbdns slave to bind
Justizin
justizin at siggraph.org
Mon Oct 2 13:45:35 CDT 2006
On 10/2/06, John Pappas <j at jvpappas.net> wrote:
> On Mon, 2006-10-02 at 13:13 -0500, Justizin wrote:
> > On 10/2/06, John Pappas <j at jvpappas.net> wrote:
> > > This is true. I have not tried to slave a BIND server to a server I do
> > > not control. Seems that as long as there is no access control (or one
> > > falls under said access control) and the axfr is available, then setting
> > > up a slave should be possible.
> >
> > Yeah, it's possible, but the djbdns package itself does not provide a
> > means of accepting NOTIFY requests, so you've got to string it
> > together or cron it, which both stink.
>
> Agreed.
>
I sort of think a small C program could be written to do this, djb-style.
> > > Can you `dig` an axfr from the master or a slave on the domain?
> > >
> >
> > Oh, I can do better than that. there is a zone transfer tool, and it
> > works like so:
> >
> > tcpclient master.ns.server.com 53 afxr-get mydomain.com
>
> Unfamiliar with tcpclient. Looks like another DJB product, yes? Will
> RTFM...
>
yeap tcpclient is like tcpserver, which is pretty well ingrained in
djbdns and qmail, basically it connects fd 6 and 7 or something,
stdout/stdin style, directly to a tcp socket which it controls.
> > so, the solution i have found is more or less this:
> >
> > pipe tinydns' log into a perl script which pipes to multilog, instead
> > of direct to multilog, and watch each log line for NOTIFY. when
> > NOTIFY comes, take paramaters from the NOTIFY request, which tinydns
> > logs, and launch axfr-get, then push that to tinydns-data, which,
> > fortunately, is designed to take updated data at runtime.
>
> And thus people will stick with non-RFC compliance and use BIND,
> Windows, etc for tasks that would otherwise be easy if RFC's were
> complied with :?
>
Most exactly. Sadly, I actually see this as a lack of RFC compliance
on the part of DJB. I'm pretty sure there is an RFC for NOTIFY.
"Okay, I'm logging them." is not quite "compliance" in my book.
Also, I have to run this perl script which owns zones as 'Gdnslog',
rather than 'Gtinydns', which pretty much takes at least half of the
added protection of using separate accounts for logging and the
service itself, because Gdnslog needs write access to the data. :/
I would really much prefer to see tinydns launching axfr-get children
instead of logging. maybe that won't be too hard to whip up as a
patch.
;d
--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
More information about the SATLUG
mailing list