Hello everyone,
Im need to create a centralized DNS service for authoritative servers.
The purpose of this is to be able to point all domains (no matter on which server they are being hosted) to:
ns1.mymaindomain.com
ns2.mymaindomain.com
Problem is, im not really sure in how to accomplish this. I've looked at several commercial solutions for this such as Plesk Expand ($$$$$$$) and 4PSA, but not completely satisfied with their offerings.
Plesk Expand has a huge price tag when running +10 servers (a lot of licensing fees involved). Also, im not sure if using it along ART's repositories might break something.
4PSA's offering apparently was not really intended for being PRIMARY servers (master), but mainly secondary (slave) servers. I can be used this way but a few people do not advise it.
I've looked at Scott's project for AUTOMATIC SECONDARY SERVERS and i'm not sure if it can be used for a centralized solution. (probably im not really understanding the HOWTO guide).
It would be great for clients to still be able to change their domain DNS using their Plesk interfase. Servers will automatically update the info of their domain zones to the "REAL" authoritative nameservers (on a different server).
Im not sure if the Common Allow Zone Transfer ACL found in PSA 7.5.4 might play a role in this. (not really sure how it works)
Im currently using a server with virtuozzo technology so i have 10 VE. Planning on using one of those VE as a dedicated DNS server for the rest of those VE. My bet is that it should work the same with non-virtuozzo servers as well so the solution shouldn't be limited to virtuozzo based servers.
Any ideas??
thanks,
Centralized DNS
Centralized DNS
ACCEND
Internet Estrategico
Internet Estrategico
using your scripts for several servers
Before taking any further steps i decided to read OREILLY book on DNS and BIND (very good read). I suggest anyone implementing some sort of DNS solution to read it (including using ART's solution) It will definately help you understand WHY Scott's solution is very simple and elegant.
Back to the topic:
Yes, i intend to use your scripts for my solution. However, instead of making each other secondary servers for the other, my plan is to use two of the plesk servers (should also work on Virtuozzo VEs) slave for ALL of the servers. So basically, i need to fine tune a few things.
The general idea is:
server101 master for its own domains & slave for all other servers
server102 master for its own domains & slave for all other servers
server103 master for its own domains
server104 master for its own domains
server105 master for its own domains
server106 master for its own domains
1) I noticed that your gen-secondaries.sh script uses the old location for the default httpd server:
HTTPDOCS=/home/httpd/vhosts/default/htdocs (line 2)
I believe that this location has changed in recent versions of Plesk to HTTPDOCS=/var/www/vhosts/default/htdocs
http://download1.swsoft.com/Plesk/Plesk ... 4.i586.txt
I believe this applies to new Plesk 7.5.4 installs on clean servers.
2) If I plan to include the zones for several servers should i use some naming scheme for the:
include "/etc/secondaries.include"; (step 1 in your project)
Adding multiple includes (one for each server). For example:
include "/etc/secondaries.include101"; for server101 (only on server102)
include "/etc/secondaries.include102"; for server102 (only on server101)
include "/etc/secondaries.include103"; for server103
include "/etc/secondaries.include103"; for server104
... and so on
I should modify each of your scripts to use the new name
3) Should I modify the transfer script (xfer-config.sh) so that each secondaries.includeXXX file gets transfered to the slave server and checked on the same script
OR
Create a different cron job for each secondaries.include file transfer
What's better?
4) What does step 5 do exactly? Im not sure. I know it will add a record on the misc table of the PSA database. But what does that record do?
5) Since server101 and server102 are slave/secondary for all domains, and therefore authoritative, i intend to register server101's ip address as ns1.mymaindomain.com and server102's ip address as ns2.mymaindomain.com at my registrar. As long as they are authoritative servers they should work right?
Does this look right?
Im I missing something?
THANKS A LOT
PS- Everyone should know that im not a computer programer (i've only got a BA degree) so all of this is a little difficult for me to understand. Be patient please.
Back to the topic:
Yes, i intend to use your scripts for my solution. However, instead of making each other secondary servers for the other, my plan is to use two of the plesk servers (should also work on Virtuozzo VEs) slave for ALL of the servers. So basically, i need to fine tune a few things.
The general idea is:
server101 master for its own domains & slave for all other servers
server102 master for its own domains & slave for all other servers
server103 master for its own domains
server104 master for its own domains
server105 master for its own domains
server106 master for its own domains
1) I noticed that your gen-secondaries.sh script uses the old location for the default httpd server:
HTTPDOCS=/home/httpd/vhosts/default/htdocs (line 2)
I believe that this location has changed in recent versions of Plesk to HTTPDOCS=/var/www/vhosts/default/htdocs
http://download1.swsoft.com/Plesk/Plesk ... 4.i586.txt
I believe this applies to new Plesk 7.5.4 installs on clean servers.
2) If I plan to include the zones for several servers should i use some naming scheme for the:
include "/etc/secondaries.include"; (step 1 in your project)
Adding multiple includes (one for each server). For example:
include "/etc/secondaries.include101"; for server101 (only on server102)
include "/etc/secondaries.include102"; for server102 (only on server101)
include "/etc/secondaries.include103"; for server103
include "/etc/secondaries.include103"; for server104
... and so on
I should modify each of your scripts to use the new name
3) Should I modify the transfer script (xfer-config.sh) so that each secondaries.includeXXX file gets transfered to the slave server and checked on the same script
OR
Create a different cron job for each secondaries.include file transfer
What's better?
4) What does step 5 do exactly? Im not sure. I know it will add a record on the misc table of the PSA database. But what does that record do?
5) Since server101 and server102 are slave/secondary for all domains, and therefore authoritative, i intend to register server101's ip address as ns1.mymaindomain.com and server102's ip address as ns2.mymaindomain.com at my registrar. As long as they are authoritative servers they should work right?
Does this look right?
Im I missing something?
THANKS A LOT
PS- Everyone should know that im not a computer programer (i've only got a BA degree) so all of this is a little difficult for me to understand. Be patient please.
ACCEND
Internet Estrategico
Internet Estrategico
By the way, the only drawback I can see on this solution is that any changes on a domain's zone won't be available for a few hours until the secondary servers do the transfer and reload.
This can probably be reduced by shortening the time lapse in between cron jobs (instead of 6 hrs lower it to 4hrs).
Any comments?
This can probably be reduced by shortening the time lapse in between cron jobs (instead of 6 hrs lower it to 4hrs).
Any comments?
ACCEND
Internet Estrategico
Internet Estrategico
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Hence the reason I made it a the docroot a variable at the top. Back when I wrote it the "standard" version was still around (5.x days), and it used yet another path (/usr/local/psa/apache/vhosts/). But I digress, for your last question on updates, if you've read the bind book you're probably familiar with the NS record. Any nameserver designated as a NS record will have a NOTIFY record sent to it on a domain update. So the secondaries (provided they are defined as NS records) will be updated within a few minutes of the master. The script events are purely for updating the master configuration of secondary domains to be authoritative for.
In the case of adding a new domain to use as a secondary server, you would be correct, it wouldn't pick up that domain for however long you're setting the cron job up for. Then theres the root server delay, depending on your registrar, that could add anywhere from an another hour to a whole day.
In the case of adding a new domain to use as a secondary server, you would be correct, it wouldn't pick up that domain for however long you're setting the cron job up for. Then theres the root server delay, depending on your registrar, that could add anywhere from an another hour to a whole day.
Yes... you're right. The NOTIFY scheme will work for domains already in the slave servers. Changes will take effect aprox 15 min after the update (BIND default).
What i really meant was that domains just added won't resolve until the next reload because the slaves servers have no clue about these new domains.
By the way, does the record added on the misc table (PSA DB) have anything to do with this NOTIFY scheme? I'm not sure. But my guess is that is adds the IP address in the allow-transfer parameter in the named.conf for each zone making the transfer possible.
What about the recent feature in Plesk 7.5.x SERVER >DNS > Common ACL ?? is this equivalent?
thanks for your support
What i really meant was that domains just added won't resolve until the next reload because the slaves servers have no clue about these new domains.
By the way, does the record added on the misc table (PSA DB) have anything to do with this NOTIFY scheme? I'm not sure. But my guess is that is adds the IP address in the allow-transfer parameter in the named.conf for each zone making the transfer possible.
What about the recent feature in Plesk 7.5.x SERVER >DNS > Common ACL ?? is this equivalent?
thanks for your support
ACCEND
Internet Estrategico
Internet Estrategico
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
The Common ACL is the access list of the servers allowed to do zone transfers (XFER). You can either manage it through PSA or from named.conf, those records will not get overwritten.
Something to keep in mind here in DNS-ese, you're rarely ever going to have "Real time" updating, due to the nature of caching, or latency in the root servers that you're manually updating through your registrar. Generally, expect 24 hours to be the lag time before everyone gets the update. Authoritative records in the Root servers are added anywhere from 1-24 hours depending on the registrar, this piece is entirely out of your control, up at the root server level, and is where your secondaries are being defined for the whole internet. Next down is caching, if someone looked up a record before you had it in DNS, they've cached the fact that it doesnt exist. This generally expires every 24 hours, but it depends on the nameserver, again, this variable is outside of your control. The third place would be your secondary update schedule itself. If you set it to hourly (Id do it 10 minutes before the top of the hour) theres no way you could miss the timing on a root server update if youve got a fast one. So not factoring in caching, or the update process at the registrar, your best case scenario with a brand new domain is it would be an hour before it would work, with the root server lag.
Something to keep in mind here in DNS-ese, you're rarely ever going to have "Real time" updating, due to the nature of caching, or latency in the root servers that you're manually updating through your registrar. Generally, expect 24 hours to be the lag time before everyone gets the update. Authoritative records in the Root servers are added anywhere from 1-24 hours depending on the registrar, this piece is entirely out of your control, up at the root server level, and is where your secondaries are being defined for the whole internet. Next down is caching, if someone looked up a record before you had it in DNS, they've cached the fact that it doesnt exist. This generally expires every 24 hours, but it depends on the nameserver, again, this variable is outside of your control. The third place would be your secondary update schedule itself. If you set it to hourly (Id do it 10 minutes before the top of the hour) theres no way you could miss the timing on a root server update if youve got a fast one. So not factoring in caching, or the update process at the registrar, your best case scenario with a brand new domain is it would be an hour before it would work, with the root server lag.
Thanks for the info.
In my PERSONAL experience with registering new domains with .com.mx and .com .net .org is that it takes barelly 10 seconds to get it working.
Of course... changing the nameservers on the registry for already created domains takes a while because of all caching (and everything else Scott pointed out) made by nameservers elsewere.
If got one LAST question (i promise):
So with PSA Common ACL feature... should I subtitute step 5 of your HOWTO ("add a global allow rule into the PSA database") and instead of making the change thru MySQL, use the PSA interfase to add the addresses. Is this equivalent?
Thanks again.
In my PERSONAL experience with registering new domains with .com.mx and .com .net .org is that it takes barelly 10 seconds to get it working.
Of course... changing the nameservers on the registry for already created domains takes a while because of all caching (and everything else Scott pointed out) made by nameservers elsewere.
If got one LAST question (i promise):
So with PSA Common ACL feature... should I subtitute step 5 of your HOWTO ("add a global allow rule into the PSA database") and instead of making the change thru MySQL, use the PSA interfase to add the addresses. Is this equivalent?
Thanks again.
ACCEND
Internet Estrategico
Internet Estrategico