This guide describes how to prepare automaticly creation of newly added zones on secondary DNS server.
- Secondary DNS will access secured web page, to get configuration file with domain listing.
- This file will be locally saved on Secondary DNS, and included to main bind configuration
- Then Secondary DNS will make zone transfer from master (bind key configurations needed).
- All run as cronjob
*
ENVIROMENT
ispCP 1.7, Debian Lenny. Should work on other OS.
CONFIGURATION
ON ISPCP SERVER
- Edit /etc/ispcp/ispcp.conf
vim /etc/ispcp/ispcp.conf
Uncomment **SECONDARY_DNS = ** and put your secondary DNS server IP in **# BIND data ** section.
Now your zone files will have to NS entries (ns1.mydomain.com and ns2.mydomain.com) pointing to 2 IP's (ns1 to ispcp it self, and ns2 pointing to IP sett in SECONDARY_DNS).
- Create script, that will list all domains from DB, and create confirguration file for 2nd DNS server
mkdir /var/www/ispcp/gui/domain
cd /var/www/ispcp/gui/domain
vim index.php
And put there:
<?php
require '../include/ispcp-lib.php';
$cfg = ispCP_Registry::get('Config');
$sql = ispCP_Registry::get('Db');
$count_query = "
SELECT
COUNT(`domain_id`) AS cnt
FROM
`domain`
";
$start_index = 0;
$rows_per_page = 100;
$query = "
SELECT
`domain_name`
FROM
`domain`
ORDER BY
`domain_id` ASC
LIMIT $start_index, $rows_per_page";
$rs = exec_query($sql, $count_query);
$records_count = $rs->fields['cnt'];
$rs = exec_query($sql, $query);
if ($rs->rowCount() == 0) {
echo "//NO DOMAINS LISTED";
} else {
echo "//$records_count HOSTED DOMAINS LISTED ON $cfg->SERVER_HOSTNAME [$cfg->BASE_SERVER_IP]\n";
echo "//CONFIGURATION FOR MAIN DOMAIN\n";
echo "zone \"$cfg->BASE_SERVER_VHOST\"{\n";
echo "\ttype slave;\n";
echo "\tfile \"/var/cache/bind/$cfg->BASE_SERVER_VHOST.db\";\n";
echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
echo "};\n";
while (!$rs->EOF){
echo "zone \"".$rs->fields['domain_name']."\"{\n";
echo "\ttype slave;\n";
echo "\tfile \"/var/cache/bind/".$rs->fields['domain_name'].".db\";\n";
echo "\tmasters { $cfg->BASE_SERVER_IP; };\n";
echo "\tallow-notify { $cfg->BASE_SERVER_IP; };\n";
echo "};\n";
$rs->moveNext();
}
}
echo "//END DOMAINS LIST\n";
?>
- Make it more secure
vim .htaccess
<Files index.php>
Order Deny,Allow
Deny from all
Allow from SECONDARY_DNS
</Files>
vim /etc/apache2/sites-enabled/00_master.conf
Change configuration for gui directory AllowOverride(to enable .htaccess) from
<Directory /var/www/ispcp/gui>
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
to:
<Directory /var/www/ispcp/gui>
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride Limit
Order allow,deny
Allow from all
</Directory>
chown vu2000:www-data -R /var/www/ispcp/gui/domain
- Generate key for secure zone transfer (TSIG)
Create keys for zone transfer
cd /etc/bind
dnssec-keygen -a hmac-md5 -b 128 -n HOST TRANSFER
The key is in the file Ktransfer.+157+37782.private. Nothing directly uses this file, but the base-64 encoded string following "Key:" can be extracted from the file and used as a shared secret:
Key: 6alK9JEHMqH/ZDpFHtlstg==
The string "6alK9JEHMqH/ZDpFHtlstg==" can be used as the shared secret. We need to put it in bind configuration on ispCP server (and later on on secondary DNS server).
vim /etc/bind/named.conf.options
Add at the end of file
//
//SECONDARY NS
//
key "TRANSFER" {
algorithm hmac-md5;
secret "6alK9JEHMqH/ZDpFHtlstg==";
};
server SECONDARY_DNS_IP {
keys {
TRANSFER;
};
};
ON SECONDARY DNS SERVER
- Edit bind configuration, and put there
include "/etc/bind/named.conf.backup"
- Create keys for zone transfer
vim /etc/bind/named.conf.options
Add at the end of file
//
//SECONDARY NS
//
key "TRANSFER" {
algorithm hmac-md5;
secret "6alK9JEHMqH/ZDpFHtlstg==";
};
server ISPCP_SERVER_IP {
keys {
TRANSFER;
};
};
- Create cron job
vi /etc/cron.d/dnsupdate
*/10 * * * * root /usr/bin/wget --no-check-certificate https://YOUR_ISPCP_DOMAIN/domain/ -O /etc/bind/named.conf.backup && /etc/init.d/bind9 reload&&/usr/bin/logger "ispCP: Backup zones updated\!"
THAT'S IT
Please check log's to check if it's working.