How to configure master and slave NSD on Ubuntu 11.10

Prime knots chartNSD  is  a  complete  implementation of an authoritative DNS nameserver written and maintained by NLnet Labs. Authoritative and not recursive. If you need a recursive and caching resolver please consider using Unbound and reading my article “How to configure Unbound on Ubuntu 11.10“.

For a quick guide on deploying DNSSEC with NSD read my article “How to run NSD with DNSSEC on Ubuntu 11.10“.

I’m going to lead you through an easy step by step guide: install, configure and run NSD in a chrooted environment for both master and slave instances.

[Jan Piet Mens @digdns suggests:
Tired of issuing sudo?
By the command sudo -i you open a bash shell as root so…]

Ubuntu already has its NSD package.

sudo apt-get install nsd3

create the right directory tree to allow NSD running chrooted

sudo mkdir -p /etc/nsd3/var/lib/nsd3
sudo mkdir -p /etc/nsd3/var/run/nsd3
sudo mkdir -p /etc/nsd3/UNSIGNED

Nsd is being installed and a sample configuration file is being copied in /etc/nsd3

Copy /etc/nsd3/nsd3.conf.sample to /etc/nsd3/nsd3.conf
sudo cp /etc/nsd3/nsd.conf.sample /etc/nsd3/nsd.conf

Now, edit the configuration file:
sudo vi /etc/nsd3/nsd.conf

uncomment the line
chroot: "/etc/nsd3"

and change some lines accordingly:

database: "/etc/nsd3/var/lib/nsd3/nsd.db"
pidfile: "/etc/nsd3/var/run/nsd3/nsd.pid"
difffile: "/etc/nsd3/var/lib/nsd3/ixfr.db"
xfrdfile: "/etc/nsd3/var/lib/nsd3/xfrd.state"
zonesdir: "/etc/nsd3/UNSIGNED"

under the server section.

Make the above settings on master and on slave server.

Now, on master create a demo zone:

zone:
name: “myzone.demo”
zonefile: “myzone.demo.zone”
notify: 192.0.2.2 mykey
provide-xfr: 192.0.2.2 mykey
notify-retry: 10

key:
name: “mykey”
algorithm: hmac-md5
secret: “6KM6qiKfwfEpamEq72HQdA==”

where 192.0.2.2 is your slave ip address and mykey is a common key to secure zone transfers between master and slave.
Keep in mind what RFC 2182 recommends as best current practice (BCP 16):

[…]
secondary servers should be at geographically distant
locations, so it is unlikely that events like power loss, etc, will
disrupt all of them simultaneously. They should also be connected to
the net via quite diverse paths. This means that the failure of any
one link, or of routing within some segment of the network (such as a
service provider) will not make all of the servers unreachable.
[…]

Then create the zone file myzone.demo.zone in /etc/nsd3/
sudo vi /etc/nsd3/myzone.demo.zone

myzone.demo. 600 IN SOA ns1.myzone.demo. (
hostmaster.myzone.demo.
2012041400
86400
7200
604800
86400
)

@ NS ns1.myzone.demo.
@ NS ns2.myzone.demo.

@ A 192.0.2.10
www CNAME @
ftp CNAME @
@ MX 0 ASPMX.L.GOOGLE.COM.
@ MX 5 ALT1.ASPMX.L.GOOGLE.COM.
@ MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@ MX 10 ASPMX2.GOOGLEMAIL.COM.
@ MX 10 ASPMX3.GOOGLEMAIL.COM.

Fix the owner:
sudo chown -R nsd:nsd /etc/nsd3

Rebuild NSD zones database:
sudo nsdc rebuild

then reload:
sudo nsdc reload

Verify it is running:

sudo netstat -antup|grep ':53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1972/nsd
tcp6 0 0 :::53 :::* LISTEN 1972/nsd
udp 0 0 0.0.0.0:53 0.0.0.0:* 1972/nsd
udp6 0 0 :::53 :::* 1972/nsd 

Now, your master server should answer some queries:
dig +norec @localhost -t SOA myzone.demo

; <<>> DiG 9.7.3 <<>> +norec @localhost -t SOA myzone.demo
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;myzone.demo. IN SOA

;; ANSWER SECTION:
myzone.demo. 600 IN SOA ns1.myzone.demo. hostmaster.myzone.demo. 2012041400 86400 7200 604800 86400

;; AUTHORITY SECTION:
myzone.demo. 3600 IN NS ns1.myzone.demo.
myzone.demo. 3600 IN NS ns2.myzone.demo.

;; Query time: 2 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 14 15:26:05 2012
;; MSG SIZE rcvd: 112

On your slave server reflect, in /etc/nsd3/nsd.conf, the zone previously created.

zone:
name: "myzone.demo"
zonefile: "myzone.demo.zone"
allow-notify: 192.0.2.1 mykey
request-xfr: AXFR 192.0.2.1 mykey

key:
name: “mykey”
algorithm: hmac-md5
secret: “6KM6qiKfwfEpamEq72HQdA==”

Rebuild NSD zones database:
sudo nsdc rebuild

then reload:
sudo nsdc reload

Now your slave requests myzone.demo to your master and you should see the following lines in /var/log/syslog:

nsd[17082]: Handle incoming notify for zone myzone.demo
nsd[23211]: Notify received and accepted, forward to xfrd
nsd[17082]: xfrd: zone myzone.demo committed “xfrd: zone myzone.demo received update to serial 2012041400 at time 1334329391 from 192.0.2.1 in 1 parts TSIG verified with key mykey”

To make NSD write immediatly the zone on disk issue the following command:
sudo nsdc patch

Anyway there is a cron job to issue that command daily:
sudo cat /etc/cron.d/nsd3

#
# Regular cron jobs for the nsd3 package
#
MAILTO=root
17 4 * * * nsd test -x /usr/sbin/nsdc && /usr/sbin/nsdc patch

You should see myzone.demo.zone in /etc/nsd3:
sudo ls /etc/nsd3/

Repeat some query on your slave:
dig @localhost -t SOA myzone.demo

You should get a correct answer to the query.

Now you have a working scenario with both master and slave instances of NSD.

Anyway, you’re encouraged to read the manual:
man 5 nsd.conf

Creative Commons License
How to configure master and slave NSD on Ubuntu 11.10 by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

One comment

Leave a Reply