Revision [2940]

This is an old revision of opennicZoneScript made by BrianKoontz on 2012-07-10 13:13:19.

 

Automated generation of OpenNIC configuration files


The following instructions are based on a clean install of BIND9 on a debian/ubuntu system with the configuration files located in /etc/bind/ and the zone files placed in /var/named/. Other distributions may use different locations for these files, or may use chroot. Please adjust accordingly, or ask for help on the mailing list or IRC chat. You are NOT required to have access to OpenNIC services prior to setting up the scripts below.

The configuration presented below will provide you with a fully operational local DNS service capable of resolving all ICANN domains, as well as domains created under OpenNIC and any of our peers. The setup will slave all zone files so your server can perform local lookups, and automated updates will be enabled to eliminate the need for any manual configuration to remain current with OpenNIC TLDs. The final system will include 'views' for added flexibility for more advanced configurations.

If you already have a functioning BIND9 server, notes will be included below to guide you in making the appropriate adjustments. Near the end of this document you will find notes on migrating BIND9 to a chrooted setup. These directions should be suitable both for a new configuration and an existing setup. If you do not already use chroot, please consider migrating your configuration for better security.

Tier-2 servers provide resolution for all domain names. Notes will be included below to determine if your setup is public (accessible by anyone on the internet) or private (only accessible by your own local network). If you plan to run a new TLD under OpenNIC, you will need to follow the additional instructions for Tier-1 servers. Other than providing the zone file for your own TLD, there is virtually no difference between a Tier-1 and Tier-2 server configuration.


Notes:


Requirements:


Configure BIND9


Begin in the directory your BIND9 configuration files are located:
# cd /etc/bind/

If you wish to make a backup of the default configuration, this is the time to do it. We will be overwriting the original config files with new ones.

If you have a pre-existing configuration, the following information may be used as a guide to modify your setup. The important piece that you need is the following line within your internet view:
include "/etc/bind/zone.opennic";


First we will create a new "named.conf" file which points to various other configuration files:
options { include "/etc/bind/named.conf.options"; };
logging { include "/etc/bind/named.conf.logging"; };

view "lan" { include "/etc/bind/view.lan"; };
view "net" { include "/etc/bind/view.net"; };


The "named.conf.options" file will contain global options that control how your service responds locally and on the internet. If you will be listening on IPv6, or wish to listen on alternat ports such as 5353, uncomment the appropriate lines.
# Specify where your zone files will be stored.
# This entry should match ZONEFILES in t1zone.conf
directory "/var/named";

# This option hides your BIND version for security
version "[hidden]";

listen-on port 53 { any; };
#listen-on port 5353 { any; };

#listen-on-v6 port 53 { any; };
#listen-on-v6 port 5353 { any; };

# max-cache-size defines the maximum amount of memory to use
# for the server's cache
max-cache-size 64M;

# max-cache-ttl sets the maximum time (in seconds) for which
# the server will cache positive answers
max-cache-ttl 86400;

# max-ncache-ttl sets the maximum time (in seconds) for which
# the server will cache negative answers.
max-ncache-ttl 300;

# cleaning-interval defines the time in MINUTES
# when all expired records will be deleted.
cleaning-interval 15;


Now we want to set up sime simple logging options which can help with debugging. Save the following into "named.conf.logging":
channel bind {
	file "/var/log/named/bind";
	print-time yes;
	print-category yes;
	print-severity yes;
};
channel query {
	file "/var/log/named/query";
	print-time yes;
	print-category yes;
	print-severity yes;
};
channel security {
	file "/var/log/named/security";
	severity debug;
	print-time yes;
	print-category yes;
	print-severity yes;
};

category client			{ bind; };
category config			{ bind; };
category default		{ default_syslog; };
category edns-disabled		{ null; };
category general		{ bind; };
category lame-servers		{ security; };
category network		{ bind; };
category notify			{ bind; };
category queries		{ query; };
category resolver		{ null; };
category security		{ security; };
category update			{ bind; };
category update-security	{ security; };
category xfer-in		{ bind; };
category xfer-out		{ bind; };

Create the log directory and change the owner to match which owner you will be running BIND9 under:
# mkdir /var/log/named
# chown bind:bind /var/log/named

If you run BIND9 under a chroot, the above path names should be modified accordingly. For example, some distributions contain the nameserver under /var/named/ so within that folder you will find an /etc/ folder that contains all of the config files. In this example, the logging directory would be /var/named/var/log/named/.

When using views, one feature is to allow different replies based on if a query comes from the internet or your local network. For example, under the 'lan' view, you may have a zone file which resolves myserver.example.com to an internal IP address, while internet queries are provided with your public IP.

First we will set up the lan view. Note that the match-clients line should contain the IP addresses for your local network. If you do not use IPv6, then remove that portion of the line. Save the following as "view.lan":
match-clients { 127.0.0.0/8; 192.168.0.0/24; 2001:470:ffff::0/48; };
allow-query { any; };
allow-recursion { any; };
allow-transfer { any; };
notify yes;

include "/etc/bind/zone.opennic";

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

If your configuration does not contain any of the specified files, you can view the originals from here: http://216.87.84.210/opennic.oss/bind/ Note that none of the zones listed in view.lan are critical, and you can safely remove any of the sections you are not using.

Finally, we will create "view.net" which contains information on what users from the internet will see. To begin with, open a new file and paste the following first line:
match-clients { any; };


If you wish to have a private DNS server, add these lines:
allow-recursion { none; };
allow-query { none; };
notify no;


If you wish to have a public Tier-1 or Tier-2 server, add these lines:
allow-recursion { any; };
allow-query { any; };
notify yes;


Now add the following to finish your "view.net" file:
include "/etc/bind/zone.opennic";


If you have your own domains, you would add the zone directives to BOTH view files. It is also possible to make unique zone files for a single domain that have different entries for the lan and net views.

And finally, set the ownership of all file to the 'bind' user:
# chown bind:bind /etc/bind/
# chown bind:bind /var/named/

Your nameserver is nearly complete, but before it can be started, you need to configure the automation scripts.


Configure the zone creation scripts


Begin by creating a directory to place the files:
# mkdir /opt/bind-tools
# cd /opt/bind-tools/

Obtain the default config file:
# wget http://216.87.84.210/opennic.oss/bindtools/t1zone.conf

Using your favorite editor, modify the config file to suit your needs. Assumptions are made that your BIND config is stored under /etc/bind/ and that your actual zone files are store under /var/named/ however these may be adjusted with the NAMEDCONF and ZONEFILES variables.
- $slaveZone and $masterZone will be located under $ZONEFILES, so using the default values, you would find your slave zone files in /var/named/opennic/slave/. Please make sure you create these directories and chown them to your bind user!
- zoneFileName will be stored under $NAMEDCONF (/etc/bind/zone.opennic)
- The AUTOUPDATE value enables automated updates of the script files we will be using below. It is recommended that you leave this enabled to receive bug fixes.

If you have a pre-existing configuration, ensure that the VIEWS variables match the views you are using. If you do not use views, simply comment out all of the VIEWS variables in t1zone.conf.

If you are running a Tier-1 server, enter the name(s) of your TLDs under the xTLD[] array, and list your public IP address(es) under the xIP[] array. All other users should leave these values commented out.


Download the first script:
# wget http://216.87.84.210/opennic.oss/bindtools/gettld.sh
# chmod 755 gettld.sh

Attempt to run the script and see if there are any problems.
# ./gettld.sh

If you see any errors, make the appropriate changes to t1zone.conf. If the script runs, take a look at the file "tld.info". It should contain a list of the TLD zones currently used by OpenNIC. A sample of the file can be viewed at http://216.87.84.210/opennic.oss/bindtools/tld.info.txt


Download the second script:
# wget http://216.87.84.210/opennic.oss/bindtools/makeinclude.sh
# chmod 755 makeinclude.sh

Attempt to run the script:
# ./makeinclude.sh

You should see the text of a zone config file being output to your screen.

If you are running a Tier-1 server, your IP address(es) should be commented in each zone and marked as excluded.

You will likely also see other addresses commented and marked as invalid serial. This simply means that the server has not received the latest zone yet. The list of commented servers will change if you run the script again in an hour, and is typical of the daily operations.

Please verify that the filenames in the output from this script match your own configuration and directories.


The last script to obtain will run the previous scripts, update your BIND configuration, and reload BIND with the new updates.

DO NOT PROCEED PAST THIS POINT UNTIL YOU HAVE VERIFIED THAT THE PREVIOUS SCRIPTS ARE RUNNING WITHOUT ERROR!

Obtain and run the script from here:
# wget http://216.87.84.210/opennic.oss/bindtools/t1zone.sh
# chmod 755 t1zone.sh
# ./t1zone.sh

Once the script finishes running, confirm that /etc/bind/zone.opennic exists, and that the information presented within it appears to be correct. This should be identical to the output generated in the last step from makeinclude.sh.

Chrooted setup

If you wish to run BIND9 under a chroot for security purposes, now is the time to perform the migration. We are going to move all of the BIND9 configuration and zone files into their own self-contained folder at "/var/chroot/bin9/". Again, keep in mind that the given directory paths are based on a debian/ubuntu server, and your configuration may use different paths.

Begin by ensuring that BIND9 is not running:
# /etc/init.d/bind9 stop

Create the chroot directories and special devices:
# mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run,var/log/named}
# chown -R bind:bind /var/chroot/bind9/var/
# mknod /var/chroot/bind9/dev/null c 1 3
# mknod /var/chroot/bind9/dev/random c 1 8
# chmod 666 /var/chroot/bind9/dev/{null,random}

Now you are ready to move your original BIND configuration into the chroot:
# mv /etc/bind /var/chroot/bind9/etc
# ln -s /var/chroot/bind9/etc/bind /etc/bind
# mv /var/named /var/chroot/bind9/var
# ln -s /var/chroot/bind9/var/named /var/named

You need to configure bind9 to start up using the chroot. For debian/ubuntu:
  • edit "/etc/default/bind9" and change the following line:
OPTIONS="-u bind -t /var/chroot/bind9"

At this point you are now ready to start BIND9 and test your configuration:
# /etc/init.d/bind9 restart

If you followed the initial setup above, you should now have some log files with information in them. Check the following to determine if there were any errors:
# tail -f /var/log/named/bind

You should see your nameserver busy attempting to download the zone files for each of the OpenNIC TLDs. You can exit from the log by hitting Ctrl-C. It may take a few minutes for all of the zones to finish downloading, then you can try testing it with the following:

This should give a list of nameservers (nsX.opennic.glue.)
# dig +short @localhost . NS

This should return the address 75.127.96.89
# dig +short @localhost opennic.glue

This should return the address 216.87.84.210
# dig +short @localhost opennic.oss

And finally, test an ICANN lookup
# dig +short @localhost google.com

If the previous tests succeeded, then your system is fully capable of looking up data from all OpenNIC and ICANN TLDs.

If you are running a public Tier-2 server, then the next step should be to visit http://www.opennicproject.org/t2log/test.php and enter your IP address. This page will test your server to confirm that it is able to answer queries from the internet, and that all OpenNIC zones are configured properly.


The last step is to fully automate the process of updating your system. You will want to add a cron job to update the TLD information every three hours. Note that the exact method of doing this will change depending on which type of cron you have installed. The method I present here is for hc-cron, which is standard on many systems.

Ensure that the script permissions are set for your bind user:
# chown -R bind /opt/bind-tools/
# chown bind:bind /etc/bind/zone.opennic*

Now add the following line to "/etc/crontab" (assuming that BIND9 is run under the username 'bind'):
50 */3	* * *	bind /opt/bind-tools/t1zone.sh


Once cron has been updated, you should see /etc/bind/zone.opennic being updated every three hours at the 50-minute mark.
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki