Quarta-feira Fev 22, 2012
PowerDNS: SUPERMASTER
Vimos no post de replicação AXFR que cada slave deve ser configurado com os domínios na tabela domains, afinal temos que saber qual informação devemos buscar no master e o que não temos autoridade para responder.
Até algumas dezenas de domínios isso funciona muito bem, mas e quando temos mais de uma centena de domínios e eles são inseridos e removidos dinamicamente, como em um register de domínios. Por esse motivo que existem os supermasters no PowerDNS. Utilizando supermasters, apenas dizemos quem é o servidor ao qual devemos confiar e ele cria automaticamente a zona dentro das tabelas.
Configurando o supermaster
Primeira parte: habilitar o master, axfr no arquivo de configuração:
master=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) # the easiest way to demonstrate things is configuring a sqlite3 database: # cat no-dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # cat dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # remember to check permissions launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.100
O domínio para testes:
insert into domains (name, type) values ('example.com', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'SOA', 'ns1.example.com ze.example.com 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.com';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns2.example.com', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns1.example.com', 'A', '192.168.122.100', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.com', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.com';
Configurando o slave:
slave=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.101
Configurando o banco de dados do slave:
insert into supermasters values ('192.168.122.100', 'ns1.example.com', 'superuser');
Descrição dos campos:
- ip: ip do supermaster (de qual ip receberemos o AXFR);
- nameserver: o nome do supermaster. É necessário que esse nome esteja dentro da lista dos NSs do domínio;
- Usuário: neste momento não existe autenticação para o supermasters, então é para fins de log
Assim que subir o master, a zona será transmitida para o slave, isso porque o PowerDNS procura domínios que estão como master e já coloca no fila de envio. Os logs do teste:
Master:
Feb 22 18:52:24 Reading random entropy from '/dev/urandom' Feb 22 18:52:24 This is a standalone pdns Feb 22 18:52:24 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:52:24 UDP server bound to 192.168.122.100:53 Feb 22 18:52:24 TCP server bound to 192.168.122.100:53 Feb 22 18:52:24 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:52:24 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:52:24 Creating backend connection for TCP Feb 22 18:52:24 Master/slave communicator launching Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 About to create 3 backend threads for UDP Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:52:24 1 domain for which we are master needs notifications Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 Done launching threads, ready to distribute questions Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.100 Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.101 Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 but slave support is disabled in the configuration Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' initiated by 192.168.122.101 Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' to 192.168.122.101 finished Feb 22 18:52:26 Received unsuccessful notification report for 'example.com' from 192.168.122.100:53, rcode: 4 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.100:53 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.101:53 (was acknowledged) Feb 22 18:52:28 No master domains need notifications
Logs do slave:
Feb 22 18:51:25 Reading random entropy from '/dev/urandom' Feb 22 18:51:25 This is a standalone pdns Feb 22 18:51:25 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:51:25 UDP server bound to 192.168.122.101:53 Feb 22 18:51:25 TCP server bound to 192.168.122.101:53 Feb 22 18:51:25 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:51:25 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:51:25 Creating backend connection for TCP Feb 22 18:51:25 Master/slave communicator launching Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 About to create 3 backend threads for UDP Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 Done launching threads, ready to distribute questions Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 for which we are not authoritative Feb 22 18:52:25 Initiating transfer of 'example.com' from remote '192.168.122.100' Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 Created new slave zone 'example.com' from supermaster 192.168.122.100, queued axfr Feb 22 18:52:25 AXFR started for 'example.com', transaction started Feb 22 18:52:25 AXFR done for 'example.com', zone committed
Supermasters e DNSSEC
Com DNSSEC, as coisas complicam um pouco. O supermaster não funciona corretamente, pois além de configurar os domínios, é necessário dizer que os registros são pré-assinados. Um bom contorno para essa situação é a criação de triggers dentro do banco de dados, para inserir automaticamente os metadados:
CREATE TRIGGER set_presigned AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'PRESIGNED', '1'); END;
Como demonstração, apague os dados do slave e crie a trigger acima:
delete from records; delete from domains;
No master, assine a zona e notifique o slave:
pdnssec sign-zone example.com pdns_control notify-host example.com 192.168.122.101
O mesmo pode ser feito para o NSEC3, caso esteja configurado:
CREATE TRIGGER set_nsec3 AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'NSEC3PARAM', '1 1 1 ab'); END;
Mais zonas
Não é vantagem nenhuma criar outras zonas e inserir novos registros na tabela supermasters, apesar de não ser tão inconveniente assim, mas é possível utilizar sempre o mesmo registro:
insert into domains (name, type) values ('example.net', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'SOA', 'ns1.example.com ze.example.net 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.net';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns2.example.net', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.net', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.net';
Note que o ns1 é o mesmo.
Posted at 07:13PM Fev 22, 2012 by ze in PowerDNS | Comments[0]
Comments: