This guide describes how to prepare automaticly creation of newly added zones on secondary DNS server.
  *  Secondary DNS will access secured web page, to get configuration file with domain listing.
  * This file will be locally saved on Secondary DNS, and included to main bind configuration
  * Then Secondary DNS will make zone transfer from master (bind key configurations needed).
  *  All run as cronjob
  *
**ENVIROMENT**

ispCP 1.7, Debian Lenny. Should work on other OS.

**CONFIGURATION**

**ON ISPCP SERVER**

  * Edit /etc/ispcp/ispcp.conf

> vim /etc/ispcp/ispcp.conf

Uncomment **SECONDARY_DNS = ** and put your secondary DNS server IP in **# BIND data ** section.
Now your zone files will have to NS entries (ns1.mydomain.com and ns2.mydomain.com) pointing to 2 IP's (ns1 to ispcp it self, and ns2 pointing to IP sett in SECONDARY_DNS).

  * Create script, that will list all domains from DB, and create confirguration file for 2nd DNS server
> mkdir /var/www/ispcp/gui/domain
> cd /var/www/ispcp/gui/domain
> vim index.php

And put there:
<code>
<?php
require '../include/ispcp-lib.php';

$cfg = ispCP_Registry::get('Config');
$sql = ispCP_Registry::get('Db');

$count_query = "
                SELECT
                        COUNT(`domain_id`) AS cnt
                FROM
                        `domain`
        ";
$start_index = 0;
$rows_per_page = 100;

$query = "
                SELECT
                        `domain_name`
                FROM
                        `domain`
                ORDER BY
                        `domain_id` ASC
                LIMIT $start_index, $rows_per_page";

$rs = exec_query($sql, $count_query);

$records_count = $rs->fields['cnt'];
$rs = exec_query($sql, $query);
        if ($rs->rowCount() == 0) {
                echo "//NO DOMAINS LISTED";
        } else {
                echo "//$records_count DOMAINS LISTED ON $cfg->SERVER_HOSTNAME [$cfg->BASE_SERVER_IP]\n";
                while (!$rs->EOF){
                        echo "zone \"".$rs->fields['domain_name']."\"{\n";
                        echo "\ttype slave;\n";
                        echo "\tfile \"/var/cache/bind/".$rs->fields['domain_name'].".db\";\n";
                        echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
                        echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
                        echo "};\n";
                        $rs->moveNext();
                        }
                }


echo "//END DOMAINS LIST\n";
?>

</code>

  * Make it more secure

> vim .htaccess
>
<code>
<Files index.php>
Order Deny,Allow
Deny from all
Allow from SECONDARY_DNS
</Files></code>


> vim /etc/apache2/sites-enabled/00_master.conf
>
Change configuration for gui directory **AllowOverride**(to enable .htaccess) from


<code>    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory></code>

to:

<code>    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride Limit
        Order allow,deny
        Allow from all
    </Directory></code>

> chown vu2000:www-data -R /var/www/ispcp/gui/domain

  * Generate key for secure zone transfer (TSIG)
Create keys for zone transfer
> cd /etc/bind
> dnssec-keygen -a hmac-md5 -b 128 -n HOST TRANSFER
The key is in the file Ktransfer.+157+37782.private. Nothing directly uses this file, but the base-64 encoded string following "Key:" can be extracted from the file and used as a shared secret:

Key: 6alK9JEHMqH/ZDpFHtlstg==

The string "6alK9JEHMqH/ZDpFHtlstg==" can be used as the shared secret. We need to put it in bind configuration on ispCP server (and later on on secondary DNS server).

> vim /etc/bind/named.conf.options
Add at the end of file


<code>        //
        //SECONDARY NS
        //
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "6alK9JEHMqH/ZDpFHtlstg==";
        };
        server SECONDARY_DNS_IP {
                keys {
                        TRANSFER;
                };
        };</code>

**ON SECONDARY DNS SERVER**
  * Edit bind configuration, and put there


<code>include "/etc/bind/named.conf.backup"</code>


  * Create keys for zone transfer
> vim /etc/bind/named.conf.options
Add at the end of file

<code>
        //
        //SECONDARY NS
        //
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "6alK9JEHMqH/ZDpFHtlstg==";
        };
        server ISPCP_SERVER_IP {
                keys {
                        TRANSFER;
                };
        };
</code>

  * Create cron job
  * 
> vi /etc/cron.d/dnsupdate
>


<code>*/10 * * * * root      /usr/bin/wget --no-check-certificate https://YOUR_ISPCP_DOMAIN/domain/ -O /etc/bind/named.conf.backup && /etc/init.d/bind9 reload&&/usr/bin/logger "ispCP: Backup zones updated\!"
</code>
>/etc/init.d/cron reload
>/etc/init.d/bind restart

**THAT'S IT**
Please check log's to check if it's working.