Skip to content

Slave a zone and then transfer it to many other slaves

Jump to bottom Edit New page
secure411dotorg edited this page Jul 18, 2013 · 4 revisions

#####Use Case:

You may subscribe to an external RPZone. The external source is the master for the zone, and you connect to it with one slave.

Let's say you have 8 resolvers, thus you want to duplicate this zone to 7 more slaves.

#####named.acl

One way to maintain ACLs for your zones is creating a file called named.acl which you can edit whenever IP addresses change. IPs are listed in named groups which are then granted certain permissions in the zone clauses. If you have 20 zones, you only need to edit the new IP in one place - named.acl - instead of in every zone clause. This makes mistakes less likely. Be sure to "include" your named.acl file near the top of your named.conf.local file: include "/etc/bind/named.acl";

In your named.acl file:

... other acl groups
myresolvers {n.n.n.2; n.n.n.3; n.n.n.4; n.n.n.5; n.n.n.6; n.n.n.7; n.n.n.8;}; // List all your slaves here
masters "dissect-cyber" { 1.2.3.4/32; };
masters "otherzone_masters" { 1.2.3.4/32; };
... etc

#####allow-transfer

zone "dc-cidr" {
	type slave;
        masters { dissect-cyber; }; // Must match a name in your named.acl file
	file "/opt/rpz-deliverables/dc-cidr.db"; // The path to your zone files
	allow-query { superadmin; myresolvers; mytrustedfriends; }; // Your ACL group names
	allow-transfer { superadmin; myresolvers; mytrustedfriends; }; 
    };

#####also-notify

Your slaves need to know when new data is available to minimize propagation time for protective blocking or corrections to the zone from the master. The master will notify your slave; your slave must then notify the rest of the slaves via the also-notify clause:

zone "dc-cidr" {
	type slave;
        masters { dissect-cyber; }; // Must match a name in your named.acl file
	file "/opt/rpz-deliverables/dc-cidr.db"; // The path to your zone files
	allow-query { superadmin; myresolvers; mytrustedfriends; }; // Your ACL group names
	allow-transfer { superadmin; myresolvers; mytrustedfriends; }; 
	also-notify { superadmin; myresolvers; mytrustedfriends; };
    };

#####Test

Coordinate a test with the external master source of the zone so you can observe an update from the external master propagating to your slave and then out to your 7 additional slaves.

Add a custom footer
Add a custom sidebar
Clone this wiki locally