Export to tinydns

Matt Simerson edited this page Dec 14, 2016 · 25 revisions

install djbdns

Djbdns or n-djbnds needs to be installed on the NicTool server and on each DNS server. No patches are necessary when building djbdns. NicTool's export routines use tinydns' generic record format to publish DNS records that tinydns doesn't natively support (SPF, SRV, AAAA, LOC, NAPTR, SSHFP). The djbdns IPv6 patch is not necessary to publish AAAA records, but it is necessary to bind tinydns to an IPv6 address.

Instructions are available for installing djbdns on FreeBSD, Debian and CentOS.

Create the tinydns service

On the DNS server(s), create a user account for the tinydns DNS server, and then create the services, substituting the user and group names you just created:

sh
export TINYUSER=tinydns
export TINYGROUP=bind
export TINYIP=10.0.0.1
export NSNAME=ns1.example.com
pw user add $TINYUSER -m
mkdir /usr/local/tinydns /usr/local/axfrdns
tinydns-conf $TINYUSER $TINYGROUP /usr/local/tinydns/$NSNAME $TINYIP
axfrdns-conf $TINYUSER $TINYGROUP /usr/local/axfrdns/$NSNAME /usr/local/tinydns/$NSNAME $TINYIP

enable TCP support in axfrdns

cd /usr/local/axfrdns/$NSNAME
cat > tcp <<EOTCP
:allow,AXFR=""
:deny
EOTCP
make

start up tinydns & axfrdns

ln -s /usr/local/tinydns/$NSNAME /service/tinydns-$NSNAME
ln -s /usr/local/axfrdns/$NSNAME /service/axfrdns-$NSNAME

Set up NicTool export

On the NicTool server, create a system user for the NicTool export process to run as. Then, log into the nt_user account, generate SSH keys, and install the public key in tinydns@ns1:.ssh/authorized_keys.

export NTE_USER=nictool
pw user add $NTE_USER -m
su - $NTE_USER
ssh-keygen
cat .ssh/id_rsa.pub

Copy the contents of the SSH public key and paste it into the tinydns users authorized_keys file on the tinydns server:

su - $TINYUSER
ssh-keygen
vi .ssh/authorized_keys

Test by making an SSH connection from $NTE_USER user account on the NicTool server to the tinydns account on the DNS server.

su - $NTE_USER
ssh $TINYUSER@$NSNAME

You'll be prompted to accept the remote servers host key. You should then be logged in successfully. This must work in order for updates to happen automatically.

Create the NicTool export

mkdir -p /usr/local/nictool/$NSNAME
cd /usr/local/nictool/$NSNAME
chown $NTE_USER ../$NSNAME
ln -s ../server/bin/nt_export.pl .
setuidgid $NTE_USER ./nt_export.pl
setuidgid $NTE_USER ./nt_export.pl -nsid N

The export script will connect to the database, export all the data for the selected NS, compile the 'data' file into data.cdb, and then rsync a copy of data.cdb to the remote NS. If the nictool export user has permission to SSH to the NS as the 'tinydns' user, then the export will likely succeed.

The nt_export.pl script will also leave behind a 'run' file in the export directory. The run file will perform the actual export (calling nt_export.pl with the right settings) and has instructions for use with cron, init, or daemontools. The default action is to run a manual export.

 ./run (wait 10 seconds, ignore any errors)
 Ctrl-C (cancel)
 vim run (uncomment the 'run' entry for the desired deployment model)

Start the NicTool export service

 ln -s /usr/local/nictool/$NSNAME /service