Automatic secondary DNS for ispCP - HOWTO

This guide describes how to prepare automaticly creation of newly added zones on secondary DNS server.

  • Secondary DNS will access secured web page, to get configuration file with domain listing.
  • This file will be locally saved on Secondary DNS, and included to main bind configuration
  • Then Secondary DNS will make zone transfer from master (bind key configurations needed).
  • All run as cronjob

*
ENVIROMENT

ispCP 1.7, Debian Lenny. Should work on other OS.

CONFIGURATION

ON ISPCP SERVER

  • Edit /etc/ispcp/ispcp.conf

vim /etc/ispcp/ispcp.conf

Uncomment **SECONDARY_DNS = ** and put your secondary DNS server IP in **# BIND data ** section.
Now your zone files will have to NS entries (ns1.mydomain.com and ns2.mydomain.com) pointing to 2 IP's (ns1 to ispcp it self, and ns2 pointing to IP sett in SECONDARY_DNS).

  • Create script, that will list all domains from DB, and create confirguration file for 2nd DNS server

mkdir /var/www/ispcp/gui/domain
cd /var/www/ispcp/gui/domain
vim index.php

And put there:

<?php
require '../include/ispcp-lib.php';

$cfg = ispCP_Registry::get('Config');
$sql = ispCP_Registry::get('Db');

$count_query = "
                SELECT
                        COUNT(`domain_id`) AS cnt
                FROM
                        `domain`
        ";
$start_index = 0;
$rows_per_page = 100;

$query = "
                SELECT
                        `domain_name`
                FROM
                        `domain`
                ORDER BY
                        `domain_id` ASC
                LIMIT $start_index, $rows_per_page";

$rs = exec_query($sql, $count_query);

$records_count = $rs->fields['cnt'];
$rs = exec_query($sql, $query);
        if ($rs->rowCount() == 0) {
                echo "//NO DOMAINS LISTED";
        } else {
                echo "//$records_count HOSTED DOMAINS LISTED ON $cfg->SERVER_HOSTNAME [$cfg->BASE_SERVER_IP]\n";
                echo "//CONFIGURATION FOR MAIN DOMAIN\n";
                echo "zone \"$cfg->BASE_SERVER_VHOST\"{\n";
                echo "\ttype slave;\n";
                echo "\tfile \"/var/cache/bind/$cfg->BASE_SERVER_VHOST.db\";\n";
                echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
                echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
                echo "};\n";

                while (!$rs->EOF){
                        echo "zone \"".$rs->fields['domain_name']."\"{\n";
                        echo "\ttype slave;\n";
                        echo "\tfile \"/var/cache/bind/".$rs->fields['domain_name'].".db\";\n";
                        echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
                        echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
                        echo "};\n";
                        $rs->moveNext();
                        }
                }

echo "//END DOMAINS LIST\n";
?>
  • Make it more secure

vim .htaccess

<Files index.php>
Order Deny,Allow
Deny from all
Allow from SECONDARY_DNS
</Files>

vim /etc/apache2/sites-enabled/00_master.conf

Change configuration for gui directory AllowOverride(to enable .htaccess) from

    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

to:

    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride Limit
        Order allow,deny
        Allow from all
    </Directory>

chown vu2000:www-data -R /var/www/ispcp/gui/domain

  • Generate key for secure zone transfer (TSIG)

Create keys for zone transfer

cd /etc/bind
dnssec-keygen -a hmac-md5 -b 128 -n HOST TRANSFER

The key is in the file Ktransfer.+157+37782.private. Nothing directly uses this file, but the base-64 encoded string following "Key:" can be extracted from the file and used as a shared secret:

Key: 6alK9JEHMqH/ZDpFHtlstg==

The string "6alK9JEHMqH/ZDpFHtlstg==" can be used as the shared secret. We need to put it in bind configuration on ispCP server (and later on on secondary DNS server).

vim /etc/bind/named.conf.options

Add at the end of file

        //
        //SECONDARY NS
        //
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "6alK9JEHMqH/ZDpFHtlstg==";
        };
        server SECONDARY_DNS_IP {
                keys {
                        TRANSFER;
                };
        };

ON SECONDARY DNS SERVER
  • Edit bind configuration, and put there
include "/etc/bind/named.conf.backup"
  • Create keys for zone transfer

vim /etc/bind/named.conf.options

Add at the end of file

        //
        //SECONDARY NS
        //
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "6alK9JEHMqH/ZDpFHtlstg==";
        };
        server ISPCP_SERVER_IP {
                keys {
                        TRANSFER;
                };
        };
  • Create cron job

vi /etc/cron.d/dnsupdate

*/10 * * * * root      /usr/bin/wget --no-check-certificate https://YOUR_ISPCP_DOMAIN/domain/ -O /etc/bind/named.conf.backup && /etc/init.d/bind9 reload&&/usr/bin/logger "ispCP: Backup zones updated\!"

THAT'S IT
Please check log's to check if it's working.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License