A MAKO template for quick generation of master/slave Bind9 configurations
Note, this template is modular and follows the Debian/Ubuntu file organisation
It is mostly useful for initialization and reconfiguration (as zone files are always "almost empty")
On your management environment :
apt-get install python3 python3-venv
python3 -m venv venv
. venv/bin/activate
pip install wheel
pip install -r requirements.txt
Edit the first part of generate.py
to fit your needs
Run :
. venv/bin/activate
./generate.py config.py
Where config.py
(or any other name) is a python script holding the desired configuration (see doc/example-config.py
for the required structure)
Options:
-l level : specify logging level (default=warning)
-d destination : folder where all the generated files will be placed
-t templates : folder where the templates are located
-f : overwrite key files and zone files
--overwrite-keys : will overwrite key files (which are preserved by default)
--overwrite-zones : will overwrite zone files (which are preserved by default)
For each slave dns server :
- push
build/slave-conf.tar.gz
to the host - install it :
tar xfv slave-conf.tar.gz -C /
- fix permissions :
${CONF_DIR}/secure_permissions.sh
- reload configuration :
rndc reconfig
On your master server :
- push
build/master-conf.tar.gz
andbuild/master-zones.tar.gz
to the host - stop bind :
systemctl stop bind9
- install config
tar xfv master-conf.tar.gz -C /
- install zones files
tar xfv master-conf.tar.gz -C / --keep-old-files
- fix permissions :
${CONF_DIR}/secure_permissions.sh
- ensure DNSSEC keys are setup :
${CONF_DIR}/ensure_dnssec_keys.sh
- start bind :
systemctl start bind9
The tool generates an remote install script build/install.sh
. This script requires a valid ssh configuration for each master/slave fqdn, with a user which can run all commands (root). It uploads the files via SCP and runs the commands remotely.
If your installation method differs, adapt the install script in the template folder
Let's say you are managing a few clusters of dns servers (a cluster being a group consisting of 1 master and 1+ slaves) and you name them RED, BLUE, and GREEN. RED and BLUE have direct ssh access (for installation), while GREEN has no SSH access (it's an LXD container with only file access throught LXD file facility from the host managing the containers). Furthermore, BLUE doesn't do DNSSEC, while the others do.
One way you could manage your clusters with in the situation above :
- clone/fork this repository once
- copy the templates folder 3 times, one for each cluster, name them "template-X" where X is the cluster name
- copy the example config 3 times, one for each cluster, name them "config-X.py" where X is the cluster name
- adapt the configurations to each cluster (network topology, defined zones, allowed update-policy)
- adapt the template folder to each cluster (bind configuration and installation method)
- use distinct
build-X
folder for each cluster - then run
generate.py
with appropriate-c
,-t
, and-d
flags to update
For example, the modifications for BLUE :
- disable DNSSEC in templates
- update
install.sh
to remove theensure_dnssec.sh
call
For example, the modifications for GREEN :
- update
install.sh
to add some "lxd file ..." to the mix
In all cases :
- commit the per-cluster templates to the repository
- commit the per-cluster configuration to the repository
- commit the build folder to the repository
NOTE: Commiting the build directories might sound counter-intuitive, but this ensures that you can revert to the installed/previous keys/zones in case of mistaken -f
use
NOTE: you could clone/fork this repo once per cluster too, instead of putting all your eggs in one repo :-)
The generated zones contain only a basic declaration, facilitating new zone installation (hence the serial 0). Once they are generated and installed, your server will live its life and the zones on the master server will be populated, thus going out of sync with the zones generated in this repo.
This is why the install script uses --keep-old-files
for tar extraction of the zone archive : only new zone files will be installed on target server. This is not a mistake, this is by design, as the present tool is only a helper to bootstrap things for data (zones) and simplify management (configuration + keys).
One way to deal with this fact is to install a hook on the master server, watching bind log file for zone updates, then trigger a zone transfer of the modified zones, and finally commits the zone to the a local git repo. That way you holda copy of each and every revision of each zone. Once this is done, you could link both repo (the repo holding the up-to-date zone data, and the present repo) which would allows for the inclusion of the up-to-date zones in the shipped archives.