BIND Slave - How to configure so that all zones are transfered?

In the documentation at the following link seems to say that for every zone that needs to be copien on the slave bind, we need to add the zone config. Is there a way so that all zones in ispconfig server will be transferred to the slave bind without doing a config for each zone?
https://www.howtoforge.com/installation-of-bind-as-a-secondary-slave-dns-server-on-centos

 

There is a tutorial on setting up DNS name service with ISPConfig, using two name servers.
https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/

 

Thank you for the links. I am sorry but I am not familiar with bind at all. I still need help with the configuration.
I have already got the bind in ispconfig running because of the ispconfig installer.
The record in named.conf.local looks like this.
zone "example.com" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.example.com";
};

Changed to this using the ispconfig interface.

zone "example.com" {
type master;
allow-transfer {111.222.333.444;};
also-notify {111.222.333.444;};
file "/etc/bind/pri.example.com";
};

On another server that only runs bind at ip address 111.222.333.444 with firewall port 53 opened.
The following setting has been added in options but does not work. Bind has been restarted.
allow-transfer { none; };
allow-new-zones yes;
I need the slave bind to have everything that the ispconfig bind has. This is to be done automatically without me doing anything for every new zone. I know this is possible but I cannot figure out how to configure the slave bind. Need all the advice I can get.

 

The Tutorial I gave a link to sets up two name servers. Follow that tutorial, it uses the ISPConfig way.
ISPConfig does not use the zone transfer mechanism of Bind to copy data to the slave. It copies database entries from ISPConfig database to the hosts running name service. Set up the second name server host as mirror of the first.
None of those allow transfer and also notify settings are needed.
I would say best thing now is to forget the setup you have now, and create a new setup following the tutorial. Then you get two working name servers and both have the same zones configured.
If you must use master and slave BIND name servers, you have to create a mechanism that copies new zones from master to slave. I think there was discussion of this method in this forum long ago. I planned to do that kind of setup but gave up after I undestood how easy the ISPConfig way is.

 

Thanks for the advice. I will read the tutorial again.
I used powerdns before and it was super easy to sync. Anyway I will read the tutorial again.

 

Please note that I am not an expert. I just searched the internet for documentation on how to use bind's rndc and this is what I have done and it seems to work. Again I am not sure about security and scale-ability. For a small setup like mine it seems to work well.

The whole purpose of this is to create a simple slave on any distro with bind 9. Then hopefully in the future ispconfig can use rndc to add dns zones into the remote slave bind dns.

1. install the latest bind 9 into a distro of your choice. I used centos 8.

2. On the slave bind, we have to create a rndc key. This can be done using rndc-confgen. Here is the output from

# rndc-confgen -A hmac-sha256

--------------- start ----------------
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "QSAwt2ihlh5wfGdTbLKP6Ws+0l1XWfFwqOTvhz0tAXk=";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-sha256;
# secret "QSAwt2ihlh5wfGdTbLKP6Ws+0l1XWfFwqOTvhz0tAXk=";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
----------------- end ----------------

3. Then take the key part and put into the name.conf of the slave bind. Please place the key and controls above the options part. Like below.
----------- start ------------------
key "rndc-key" {
algorithm hmac-sha256;
secret "QSAwt2ihlh5wfGdTbLKP6Ws+0l1XWfFwqOTvhz0tAXk=";
};

controls {
inet * port 953
allow { 127.0.0.1; master_bind_ip; } keys { "rndc-key"; };
};

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
.
.
.
.
------------ end -------------------

4. Add the following line in the options section of name.conf. This will allow rndc to add new zones.
------ start------------
allow-new-zones yes;
------- end ------------

5. Restart bind. This will start the rndc service on port 953 on the slave bind dns.

6. On the slave bind server, open port 953/tcp. On CentOS 8 it will be like this.
firewall-cmd --add-port=953/tcp --permanent
firewall-cmd --reload

Now the slave bind is listening on port 953/tcp for instructions.

7. Now on the ispconfig master bind dns machine, create the rndc.conf with the following. The same key as the slave.

------------ start -----------------
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "QSAwt2ihlh5wfGdTbLKP6Ws+0l1XWfFwqOTvhz0tAXk=";
};

options {
default-key "rndc-key";
default-server slave_name_server_ip or ns2.example.com;
default-port 953;
};
# End of rndc.conf
-------------- end -----------------

8. Now we can add zones from the master to slave.
---------- start--------------------------
rndc -c /etc/rndc.conf addzone example.com '{type slave; masters {master_bind_ip;}; file "/var/named/db.example.com";};'
rndc -c /etc/rndc.conf reload

To delete a zone
rndc -c /etc/rndc.conf delzone example.com
rndc -c /et/rndc.conf reload
-------------- end -----------------------

9. Here is a script that was use to create all the zones from the master to the slave for the first time.

----------------- start -----------------------
for x in $( ls /etc/bind/pri.* | cut -d '.' -f 2-5); do
zoneData="{type slave; masters {master_bind_ip;}; file \"/var/named/db.$x\";};"
/usr/sbin/rndc -c /etc/rndc.conf addzone $x $zoneData
done
----------------- end -------------------------

10. Some observations.
a. after doing rndc delzone, the db file in the slave is not deleted. Not a big problem.
b. is there a way to set in ispconfig so that whenever a new zone is created the allow transfer has the ip address of the slave instead of none currently?
Or not to have the line allow transfer none per zone so that we can put allow transfer in the options so that every zone is allowed to transfer. Same for allow notifications.
c. Any chance of incorporating rndc into ispconfig? Especially when since there is no change in the config for bind in the master bind.
d. Please share your thoughts.

 

This can be done with template for DNS. More info in ISPConfig manual.

 

Checked the documentation and the only thing I can find is the following line. Did I miss something?
"
In the [ZONE] stanza, you secify values for origin, ns1, mbox, refresh, retry, expire, minimum, and ttl
in the form name=value.
"

 

I think you are right. I thought also the allow transfer IP-addresses could be given in the template. Sorry for my mistake. It may be in next version of ISPConfig to support DNSSEC.

 

Yes! This works! Great!
Thank you for the advice.