Creating a nameserver
Nameservers are a key piece of infrastructure for reliability. They can be
used to route around bad frontends (see
the overview
for more details). It's important that we have a stable and easily updateable
nameserver. We have chosen for
NSD (name server deamon) from
NLnet Labs
. We can control this nameserver mostly using the paphosting user, but to
(re)start the nameserver (which binds port 53), we will require root access.
We can use the handy
nsdc wrapper.
A1) Using OpenBSD
1. OpenBSD 5.0+ ships NSD in base!
Our config works with OpenBSD 5.5 and beyond (respecting the
/var/nsd
chroot).
chown -R _nsd:_nsd /var/nsd
chown -R paphosting:_nsd /var/nsd/{etc,zones}
chmod 775 /var/nsd/zones/slave
# Add user paphosting to group _nsd
sed -e 's,^_nsd:\*:[0-9]*:.*,&\,,' \
-e 's,^_nsd:\*:[0-9]*:,$,&paphosting,' \
group > group.new && mv group.new group
echo "nsd_flags=\"\"" >> rc.conf.local
echo "paphosting ALL = NOPASSWD: /etc/rc.d/nsd" >> sudoers
We'll rsync to the machine and run
nsdc rebuild as user paphosting.
This writes config to
/var/nsd/etc/ and
/var/nsd/zones and
rebuild outputs to
/var/nsd/db/nsd.db by nsd at startup. We call
/usr/local/bin/pap_nsdreload as user paphosting to restart/reload
the server.
A2) Using Ubuntu/Debian
Install nsd:
apt-get install nsd
Make the paphosting nsd config dir, adding paphosting user to nsd group (almost matching our OpenBSD setups):
usermod -a -G nsd paphosting
mkdir -p /var/nsd /var/nsd/etc /var/nsd/zones
chown -R nsd:nsd /var/nsd/
chown -R paphosting:nsd /var/nsd/{etc,zones}
echo "paphosting ALL = NOPASSWD: /etc/init.d/nsd" >>/etc/sudoers
Tell the Debian nsd where to find the paphosting nsd configs:
cat << EOF >/etc/nsd3/nsd.conf
server:
hide-version: yes
zonesdir: /var/nsd/zones
include: /var/nsd/etc/paphosting/nsd.pap.conf
include: /var/nsd/etc/paphosting/paphosting.master.conf
include: /var/nsd/etc/paphosting/paphosting.slave.conf
EOF
B) Configuring PAPNS
1. Add the machine to config/dns.hosts
On your client, add the hostname (any hostname
or IPv4 or IPv6 address to which you can connect
on the ssh port:
echo $HOSTNAME >> config/dns.hosts
mkdir -p dns/config/${HOSTNAME}
# See other nsd.pap.conf for inspiration
vi dns/config/${HOSTNAME}/nsd.pap.conf
svn commit config/dns.hosts \
dns/config/${HOSTNAME}/nsd.pap.conf
2. Ensure you can SSH into the machine as paphosting
From your client, try to SSH as paphosting into the machine.
Once you're there, you should make sure that the paphosting
user can run the NSD scripts as root.
You should now be able to run
sudo /etc/rc.d/nsd start
as the paphosting user (assuming on OpenBSD you have edited
rc.conf.local). On Ubuntu, you'll run
/etc/init.d/nsd
instead.
3. Force a push of the nsd configs
On your client, try to do a nsd push
scripts/dns-push.sh -v -n
# If this looks good, then:
scripts/dns-push.sh -f
4. Check to make sure it works
You can now use the machine to register zones,assuming of course
that you have verified it actually works, something like:
dig @${HOSTNAME} SOA paphosting.nl.
host -t SOA paphosting.nl. ${HOSTNAME}
EOF :)