switch dns replication method

Discussion in 'Tips/Tricks/Mods' started by nhybgtvfr, Feb 12, 2025.

Page 2 of 2
  1. till

    till Super Moderator Staff Member ISPConfig Developer

    I can check the condition for the checkbox in the code. It's likely coupled with the mirroring to prevent that DNSSEC is enabled when mirroring is on.
     
    till, Feb 19, 2025
    #21
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    note for anyone else trying to switch dns replication methods...

    check all the client limit templates, make sure the default secondary dns server is set to what will be the bind slave server.
    and update default_slave_dnsserver in the client table for all existing users with the correct server id for what will be the bind slave server then resync clients & resellers..

    i'm not sure if that would had any effect on my previous attempts to switch by creating all the secondary zones directly in mysql, but not doing this will cause problems with creating secondary zones in the gui as the client.


    also.. you probably end up with loads of terminal windows open at the same time.... close any terminal windows connected to the master ispconfig server after setting the xfer and also_notify fields in the dns_soa table and the default_slave_dnsserver in the client table so that you don't type things into the wrong window and accidentally truncate the dns_soa table on the master dbispconfig db!!!! :oops:
     
    nhybgtvfr, Feb 20, 2025
    #22
    till likes this.
  3. pyte

    pyte Well-Known Member HowtoForge Supporter

    Thank you for testing this so intensive. Can you please write up a detailed list of steps to break mirroring and use master/slave? Maybe we can take that as reference if someone is willing to implement a script in the future.
     
    pyte, Feb 21, 2025
    #23
    till likes this.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    assumed starting point: multi-server with 2 dns servers ns1 and ns2

    method 1: break mirroring on ns2, remove primary zones on ns2 and configure secondary dns zones on ns2 instead
    method 2: install 3rd nameserver. ns3, configure secondary dns zones on ns3. break mirroring on ns2 and remove or re-use ns2.

    i chose method 2.. partly because by the point i was ready to switch things in a live system i'd already added a server for ns3 for testing purposes, and partly because it allowed me to keep the existing mirrored nameserver active and fully working whilst i got ns3 correctly configured and created all the secondary dns zones.

    method 1 would generally make more sense, and would involve less steps. especially so if the secondary zones can be created automatically.
    creating them all manually is tedious and time consuming.

    the instructions below are all for method 2, as that's what i actually did, the correct sequence for method 1 can be worked out from these instructions.. but i'll post it separately later, once my brains a bit less fried...



    method 2:

    create ns3 A/AAAA records in your main domains dns
    install and configure ns3 as normal for installing a dns server using the ispconfig auto-installer and configure settings as normal in ispconfig gui. do not configure it to mirror another server.

    using mysql edit dbispconfig on ispconfig master:
    Code:
    update dns_soa set xfer = '<comma separated list of ip's of ns3>';
update dns_soa set also_notify = '<comma separated list of ip's of ns3>';
    find the server_id from the server table and update the client limit templates.
    Code:
    select server_id from server where server_name = 'ns3.<domain.tld>';
update client_template set default_slave_dnsserver = '<server_id>';
    you'll also want to update this for existing users.
    Code:
    update client set default_slave_dnsserver = '<server_id>';
    set the xfer and also_notify fields in the relevant dns zone templates as well. can be done directly in mysql on master, possibly via api. for me was easiest to edit manually in gui.
    from the gui resync 'dns records' on ns1 and also 'client and reseller'


    you should now be able to create the secondary dns zones.. either all as isponfig admin, or as each individual client - only method i found to work was creating the secondary zones in the gui.
    this may be possible via the api, I couldn't see any documentation that dns_slave_add is an api option though.
    creating all the zones directly in mysql on the master does not work.. nothing i tried will get that data into the secondary ns servers database.
    possibly exporting the dns_slave table from the master into the db on ns3 and resyncing all services on ns3 will work. i would not be confident on future zone changes syncing properly or newly added zones getting created at all on the secondary ns server.



    options exist at this point.

    use ns3 as the new secondary zone dns server and either re-use or remove ns2:

    add ns3 as a nameserver with your domain registrar and create the relevant glue records.
    add ns3 as an NS record in all your dns zones. also tell anyone with domains registered elsewhere but using you for dns to add the nameserver to the domain with their registrar

    removing existing ns2 server:
    remove mirroring of ns1 by ns2. -- at this point dnssec options become available again in the dns area of the gui
    either:
    delete the server (remove ns2 from server - server services )
    also drop user ispcsrv## from mysql on ispconfig master server for the ispcsrv user from ns2. and 'root'@'ns2.<domain.tld>' and 'root'@'<any ns2 ip addresses>'
    then delete/destroy/reinstall the ns2 vm/server as needed.
    remove ns2 NS records from all domains.
    remove ns2 as nameserver for domain with registrar
    (alternatively, leave ns2 configured with registrar and in client dns zones, and remove NS2 A/AAAA records in main domains dns and NS2 CNAME record pointing to ns2.<domain.tld>

    re-using existing ns2 server:
    truncate the dns_soa and dns_rr tables on ns2. and reuse it as either another primary (non-mirrored) dns server, or as another secondary (bind slave) server (or use for other ispconfig services if they're installed)



    alternatively, completely remove the existing ns2 server and rename ns3 to ns2
    remove mirroring of ns1 by ns2. -- at this point dnssec options become available again in the dns area of the gui
    delete the server (remove ns2 from server - server services )
    in dns, change disable/delete A/AAAA records for ns2
    rename A/AAAA records for ns3 to ns2
    update the glue records for ns2 with your domain registrar
    drop user ispcsrv## from mysql on ispconfig master server for the ispcsrv user from the old ns2. and 'root'@'<any ns2 ip addresses>'
    update the 'root'@'ns2.<domain.tld>' user password to match the password for 'root'@'ns3.<domain.tld>';
    delete/destroy/reinstall the ns2 vm/server as needed
    on member servers edit /etc/hosts add the ip for ns3, but using the name ns2. comment out/remove any existing entry for ns2.
    on ns3: hostnamectl hostname ns2
    reboot ns3 (now ns2)
    in ispconfig gui - system - server services - edit ns3 server - change hostname to ns2
    in system - server config - edit ns2 server - in the server tab edit the hostname field, replacing ns3 with ns2 - this field doesn't get updated by the other gui edits
    on the now ns2 server:
    delete/rename /usr/local/ispconfig/interface/ssl/ispserver.crt/.key/.pem files
    run ispconfig_update.sh --force
    answer yes reconfigure permissions in master db
    answer yes to reconfigure services
    answer yes to create ssl certs
    to finish cleaning up, on the master server, you can drop the mysql users 'root'@'ns3.<domain.tld>' and 'ispcsrv##'@'ns3.<domain.tld>'






    also, @pyte, you originally asked how long it takes... none of the reconfiguration itself takes long, most of my time was taken up keeping notes of what i was doing.. and double-checking everything / retesting at each step.. after accidentally deleting all the dns zones in the master db yesterday i decided to be a lot more careful...

    the bits that take time were manually creating all the secondary zones.. but part of choosing this method is that i had no need to rush that.. as the already existing ns2 mirroring server was still fully configured and working while i did this.

    the 'dns records' resync can take a while.. i only had a few hundred zones on this system, but some have a lot of records in.. so resyncing added around 3000 items to the job queue.. it got down to around 1280 remaining within 2 minutes.. then it got slow.. about 8 minutes to complete a couple of hundred job queue items, then it did the remaining 1100 or so in another couple of minutes.
    i couldn't tell what the reason for the slowness part way through was.. nothing was obvious in any logging.
     
    Last edited: Feb 23, 2025
    nhybgtvfr, Feb 21, 2025
    #24
    till and pyte like this.
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    method 1:

    ****************************************************************************************************
    note that i have already completed switching dns replication using method 2 in the previous post.
    method 1 is derived from the testing i've described so far in this thread, and what worked in method 2.
    from everything i've learnt so far, logically method 1 should work without problems, but method 1 has NOT been tested by me.
    until someone else in posts in this thread that they've successfully used method 1, it remains theoretical.
    therefore i recommend you try it on a test system first before attempting to use it on a production system.
    ****************************************************************************************************


    in the gui, remove mirroring of ns1 by ns2
    in mysql on ns2:
    Code:
    use dbispconfig;
truncate dns_rr;
truncate dns_soa;
    in mysql on ispconfig master:
    Code:
    use dbispconfig;
update dns_soa set xfer = '<comma separated list of ip's of ns2>';
update dns_soa set also_notify = '<comma separated list of ip's of ns2>';
    find the server_id from the server table and update the client limit templates.
    Code:
    select server_id from server where server_name = 'ns2.<domain.tld>';
update client_template set default_slave_dnsserver = '<server_id>';
    you'll also want to update this for existing users.
    Code:
    update client set default_slave_dnsserver = '<server_id>';
    set the xfer and also_notify fields in the relevant dns zone templates as well. can be done directly in mysql on master, possibly via api. for me was easiest to edit manually in gui.
    from the gui resync 'dns records' on ns1, 'all services' on ns2, and also 'client and reseller'

    check /etc/bind on ns2. you may need to manually delete primary zone files. and named.conf.local should be an empty file.
    i would also suggest checking the dns_soa and dns_rr tables in dbispconfig on ns2.. they should be empty, if they're not, then there's something wrong with this method.

    you should now be able to create the secondary dns zones.. either all as isponfig admin, or as each individual client - only method i found to work was creating the secondary zones in the gui.
    this may be possible via the api, I couldn't see any documentation that dns_slave_add is an api option though.
    creating all the zones directly in mysql on the master does not work.. nothing i tried will get that data into the secondary ns servers database.
    possibly exporting the dns_slave table from the master into the db on ns2 and resyncing all services on ns2 will work. i would not be confident on future zone changes syncing properly or newly added zones getting created at all on the secondary ns server.
     
    Last edited: Feb 25, 2025
    nhybgtvfr, Feb 24, 2025
    #25
    till likes this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    @nhybgtvfr Thanks a lot for posting the steps you have taken in detail. I'll move the thread to the tips & tricks forum so it can be found easier in the future.

    There are API functions for DNS slave records; they seem to be missing in API docs, though.

    Code:
    //* Get slave zone details
    public function dns_slave_get($session_id, $primary_id) {
        global $app;

        if(!$this->checkPerm($session_id, 'dns_zone_get')) {
            throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
            return false;
        }
        $app->uses('remoting_lib');
        $app->remoting_lib->loadFormDef('../dns/form/dns_slave.tform.php');
        return $app->remoting_lib->getDataRecord($primary_id);
    }


    //* Add a slave zone
    public function dns_slave_add($session_id, $client_id, $params) {
        if(!$this->checkPerm($session_id, 'dns_zone_add')) {
            throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
            return false;
        }
        return $this->insertQuery('../dns/form/dns_slave.tform.php', $client_id, $params);
    }

    //* Update a slave zone
    public function dns_slave_update($session_id, $client_id, $primary_id, $params) {
        if(!$this->checkPerm($session_id, 'dns_zone_update')) {
            throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
            return false;
        }
        $affected_rows = $this->updateQuery('../dns/form/dns_slave.tform.php', $client_id, $primary_id, $params);
        return $affected_rows;
    }

    //* Delete a slave zone
    public function dns_slave_delete($session_id, $primary_id) {
        if(!$this->checkPerm($session_id, 'dns_zone_delete')) {
            throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
            return false;
        }
        return $this->deleteQuery('../dns/form/dns_slave.tform.php', $primary_id);
    }
     
    till, Feb 24, 2025
    #26
    nhybgtvfr likes this.
Page 2 of 2

Share This Page