This guide describes how to prepare automaticly creation of newly added zones on secondary DNS server.
* Secondary DNS will access secured web page, to get configuration file with domain listing.
* This file will be locally saved on Secondary DNS, and included to main bind configuration
* Then Secondary DNS will make zone transfer from master (bind key configurations needed).
* All run as cronjob
*
**ENVIROMENT**
ispCP 1.7, Debian Lenny. Should work on other OS.
**CONFIGURATION**
**ON ISPCP SERVER**
* Edit /etc/ispcp/ispcp.conf
> vim /etc/ispcp/ispcp.conf
Uncomment **SECONDARY_DNS = ** and put your secondary DNS server IP in **# BIND data ** section.
Now your zone files will have to NS entries (ns1.mydomain.com and ns2.mydomain.com) pointing to 2 IP's (ns1 to ispcp it self, and ns2 pointing to IP sett in SECONDARY_DNS).
* Create script, that will list all domains from DB, and create confirguration file for 2nd DNS server
> mkdir /var/www/ispcp/gui/domain
> cd /var/www/ispcp/gui/domain
> vim index.php
And put there:
fields['cnt'];
$rs = exec_query($sql, $query);
if ($rs->rowCount() == 0) {
echo "//NO DOMAINS LISTED";
} else {
echo "//$records_count DOMAINS LISTED ON $cfg->SERVER_HOSTNAME [$cfg->BASE_SERVER_IP]\n";
while (!$rs->EOF){
echo "zone \"".$rs->fields['domain_name']."\"{\n";
echo "\ttype slave;\n";
echo "\tfile \"/var/cache/bind/".$rs->fields['domain_name'].".db\";\n";
echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
echo "};\n";
$rs->moveNext();
}
}
echo "//END DOMAINS LIST\n";
?>
* Make it more secure
> vim .htaccess
>
Order Deny,Allow
Deny from all
Allow from SECONDARY_DNS
> vim /etc/apache2/sites-enabled/00_master.conf
>
Change configuration for gui directory **AllowOverride**(to enable .htaccess) from
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
to:
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride Limit
Order allow,deny
Allow from all
> chown vu2000:www-data -R /var/www/ispcp/gui/domain
* Generate key for secure zone transfer (TSIG)
Create keys for zone transfer
> cd /etc/bind
> dnssec-keygen -a hmac-md5 -b 128 -n HOST TRANSFER
The key is in the file Ktransfer.+157+37782.private. Nothing directly uses this file, but the base-64 encoded string following "Key:" can be extracted from the file and used as a shared secret:
Key: 6alK9JEHMqH/ZDpFHtlstg==
The string "6alK9JEHMqH/ZDpFHtlstg==" can be used as the shared secret. We need to put it in bind configuration on ispCP server (and later on on secondary DNS server).
> vim /etc/bind/named.conf.options
Add at the end of file
//
//SECONDARY NS
//
key "TRANSFER" {
algorithm hmac-md5;
secret "6alK9JEHMqH/ZDpFHtlstg==";
};
server SECONDARY_DNS_IP {
keys {
TRANSFER;
};
};
**ON SECONDARY DNS SERVER**
* Edit bind configuration, and put there
include "/etc/bind/named.conf.backup"
* Create keys for zone transfer
> vim /etc/bind/named.conf.options
Add at the end of file
//
//SECONDARY NS
//
key "TRANSFER" {
algorithm hmac-md5;
secret "6alK9JEHMqH/ZDpFHtlstg==";
};
server ISPCP_SERVER_IP {
keys {
TRANSFER;
};
};
* Create cron job
*
> vi /etc/cron.d/dnsupdate
>
*/10 * * * * root /usr/bin/wget --no-check-certificate https://YOUR_ISPCP_DOMAIN/domain/ -O /etc/bind/named.conf.backup && /etc/init.d/bind9 reload&&/usr/bin/logger "ispCP: Backup zones updated\!"
>/etc/init.d/cron reload
>/etc/init.d/bind restart
**THAT'S IT**
Please check log's to check if it's working.