Creating a nameserver
Nameservers are a key piece of infrastructure for reliability. They can be
used to route around bad frontends (see
the overview
for more details). It's important that we have a stable and easily updateable
nameserver. We have chosen for
NSD (name server deamon) from
NLnet Labs
. We can control this nameserver mostly using the paphosting user, but to
(re)start the nameserver (which binds port 53), we will require root access.
We can use the handy
nsdc wrapper.
A1) Using OpenBSD
1. OpenBSD 5.0+ ships NSD in base!
mkdir -p /etc/nsd /var/nsd/zones/slave
chown -R _nsd:_nsd /var/nsd
chown -R paphosting:_nsd /etc/nsd /var/nsd/{db,zones}
chmod 775 /var/nsd/zones/slave
cd /etc
echo "include: /etc/nsd/nsd.conf" > nsd.conf
chmod 640 nsd.conf
chown root:_nsd nsd.conf
# Add user paphosting to group _nsd
sed -e 's,^_nsd:\*:[0-9]*:.*,&\,,' \
-e 's,^_nsd:\*:[0-9]*:,$,&paphosting,' \
group > group.new && mv group.new group
echo "nsd_flags=\"\"" >> rc.conf.local
echo "paphosting ALL = NOPASSWD: /etc/rc.d/nsd" >> sudoers
We'll rsync to the machine and run
nsdc rebuild as user paphosting.
This writes config to
/etc/nsd and
/var/nsd/zones and
rebuild outputs to
/var/nsd/db/nsd.db (so all of these should be
owned by user paphosting) and then uses sudo to reload the server.
A2) Using Ubuntu
(work in progress)
B) Configuring PAPNS
1. Add the machine to config/dns.hosts
On your client, add the hostname (any hostname
or IPv4 or IPv6 address to which you can connect
on the ssh port:
echo $HOSTNAME >> config/dns.hosts
mkdir -p dns/config/${HOSTNAME}
# See other nsd.pap.conf for inspiration
vi dns/config/${HOSTNAME}/nsd.pap.conf
svn commit config/dns.hosts \
dns/config/${HOSTNAME}/nsd.pap.conf
2. Ensure you can SSH into the machine as paphosting
From your client, try to SSH as paphosting into the machine.
Once you're there, you should make sure that the paphosting
user can run some NSD scripts as root:
sudo su -
cat << EOF >> /etc/sudoers
paphosting ALL = NOPASSWD: /etc/rc.d/nsd
EOF
You should now be able to run
sudo /etc/rc.d/nsd start
as the paphosting user (assuming on OpenBSD you have edited
rc.conf.local).
3. Force a push of the nsd configs
On your client, try to do a nsd push
scripts/dns-push.sh -v -n
# If this looks good, then:
scripts/dns-push.sh -f
4. Check to make sure it works
You can now use the machine to register zones,assuming of course
that you have verified it actually works, something like:
dig @${HOSTNAME} SOA paphosting.nl.
host -t SOA paphosting.nl. ${HOSTNAME}
EOF :)