BIND and rndc

David L. Gehrt dlg at mail.inanity.net
Sun Dec 18 09:39:37 UTC 2005


>   This message is in MIME format.  The first part should be readable text,
>   while the remaining parts are likely unreadable without MIME-aware tools.
> 
> ---1463773696-94153189-1134859329=:13630
> Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
> Content-Transfer-Encoding: QUOTED-PRINTABLE
> 
> On Sat, 17 Dec 2005, |Lord_Zoo| wrote:
> 
> > That's why I want to know how to configure this, since I know it's not
> > good, but well.
> >
> >
> > If you have a good resource to check on, please, let know. :D
> >
> > Thanks.


> That's why I want to know how to configure this, since I know it's not
> good, but well.
> 
> 
> If you have a good resource to check on, please, let know. :D
> 
> Thanks.
> OK for adding domains, its incorporated in my adduser perl script
> the variables at top allow me to decide which IP will be what etc.
> assuming you have the primary and secondary dns servers nfs mounted and
> then it  uses rndc to load the zone, no no manually making anything, if
> you want a copy of that section let me know, i'm still not really sure if
> im understanding yor question though. but if your happy to make a zone
> conf file and add it into named.conf manualy on pri/sec then just yse rndc
> reload zonename and its all good
> 
> 
> >
> >
> > El s=C3=A1b, 17-12-2005 a las 23:36 +1000, Res escribi=C3=B3:
> >> On Fri, 16 Dec 2005, Gaston wrote:
> >>
> >>> Hi All.
> >>>
> >>>
> >>>	Does anybody know of a howto to configure bind with rndc for use with
> >>> zone transfers?
> >>>
> >>> I need to configure 2 fedora servers, and I don't want to duplicate the
> >>> dns records manually on each server.
> >>
> >> rndc reload zone
> >>
> >> you should NEVER EVER update a secondary manually entering entries
> >>
> >> (if I've misunderstood your question just ignore me, had staff party
> >> tonight :P )
> >>
> >>
> >> --
> >> Cheers
> >> Res
> >>
> >
> >
> 
> --
> Cheers
> Res

<snip> 
					
==============================================================================

I tried to send this earlier but for some reason it did not make the trip

==============================================================================

This thread seems weird, like I only have received part of  it

As a paid job I was the administrator of several DNS severs at a large
site (thousands of DNS records).  AFAIAC the ONLY resource for admins of
DNS systems using BIND, except for the BIND code is the O'Reilly book
"DNS and BIND".

Rndc is not really  a zone transfer tool.  It is a tool for more general
administration.  One of its functions is to provide a way for slave
servers to authenticate themselves to a master to have the master permit
s zone transfer.  It is a way to provide some security  for the DNS system.

On DNS Security:  

You could use DNS sec to encrypt data xfers, though I never have.  To
prevent you should prohibit zone transfer except to explicitly
trusted, authorized slave servers. 

Rndc is used by the master or slaves in a zone which restricts zone
transfers to permit transfers to/from  systems presenting the key.

There are different ways to configure rndc.  You can have a single
key associated with all slave access to the master, or separate keys for
each slave.  I suspect the easiest will be to generate a key for all
slaves, and associate that key with an ACL on the master that includes
all the slaves.  The single key will permit (with proper configuration
of the slaves) the slaves to exchange updates should the master become
unreachable.

It is possible to configure a more complex set of keys.  One for each
authoritative server  This would be useful if your zone was forced to
use a slave NOT under the organizations control, or otherwise NOT
completely trusted by your organization.

In the case of my network here at my home for which I have static IP
addresses and a domain name, I have internal and external DNS zones
(split DNS).  My external zone DNS servers are my firewall and a DNS
server at a remote site.  The internal zone is served by BIND servers on
my firewall and the mail hub.  I use RNDC to control zone xfers for both
zones.  

My configuration is easier than it might be because I know and trust the
admins of the remote BIND server.

I hope this will help y'all,

By the way nsupdate is used for dynamic DNS (typically on nets where
DHCP is in use).  My understanding is that this thread is about a BIND
environment which uses static zone tables.

dlg

David L. Gehrt				Land Line:	805.541.2390
1865 Wilding Lane			Cell phone:	805.704.5890
San Luis Obispo, CA 93401-3044		Email:		dlg at inanity.net




More information about the fedora-list mailing list