Hi: I'm testing nsd to be used as slave of a ccTLD (following the idea proposed by Stephen). I haven't good experience about it. The primary is a BIND 9 server, sending notifies to my testing server. nsd seems to ignore notifies and avoid periodical retries as specified in REFRESH soa param. The server is able to transfer the zone and compile it with zonec free of problems. If I run 'nsdc update' everything goes ok. What should I do to prepare a nsd to be slave? I know is possible, as told by Stephen and the root servers managers. Best Regards -- Sebastian E. Castro Avila sebastian at nic.cl Administrador de DNS, NIC Chile Agustinas 1357 Piso 4 Santiago, Chile Cod. Postal 6500587 Phone: +56-2-9407705 Fax : +56-2-9407701
On Wed, Jul 09, 2003 at 10:12:15AM -0400, Sebastian Castro <secastro at nic.cl> wrote a message of 29 lines which said:> I haven't good experience about it. The primary is a BIND 9 server, > sending notifies to my testing server. nsd seems to ignore notifiesIndeed. I believe it is even documented somewhere.> What should I do to prepare a nsd to be slave?Two realistic solutions and an experimental one: * use a "logfile monitor" (we use SEC <URL:http://kodu.neti.ee/~risto/sec>) with a regexp of "nsd.*notify from" and an action of "nsdc update". * use cron to recompile every hour or less (ns2.nic.fr receives one NOTIFY every ten minutes, there is not really any point in waiting for them, we just recompile periodically). * (Untested) see what's new in NSD 1.2 (just released). May be there is a notify-handler plugin?
[Quoting Sebastian Castro, on Jul 9, 16:12, in "nsd running as slave ..."]> sending notifies to my testing server. nsd seems to ignore notifies andThat's correct.> avoid periodical retries as specified in REFRESH soa param.That's also correct.> The server is able to transfer the zone and compile it with zonec free > of problems. If I run 'nsdc update' everything goes ok.NSD expect you to put 'nsdc update' in crontab. Please look in the README under 3.3 Keeping in sync the secondary zones with ``nsdc update' There were good reasons to do it like this (keep the daemon light weight". However, people are looking into a plugin, reacting properly on incoming notifies. Plugings are supported as of version 1.2. -- ted
Hi Sebastian, i would not run a nameserver in slave mode in a registry environment. The best thing would be if you run all nameservers as master. You have to provide the zonefile to all the nameservers and then recompile the zonefile at the nameserver which runs nsd. With the bind nameserver you proceed as normal. There are a lot of possibilities to implement this way. If you need help, please ask for it. Best Regards Sven-Holger On Wed, 2003-07-09 at 16:12, Sebastian Castro wrote:> Hi: > > I'm testing nsd to be used as slave of a ccTLD (following the idea > proposed by Stephen). > > I haven't good experience about it. The primary is a BIND 9 server, > sending notifies to my testing server. nsd seems to ignore notifies and > avoid periodical retries as specified in REFRESH soa param. > > The server is able to transfer the zone and compile it with zonec free > of problems. If I run 'nsdc update' everything goes ok. > > What should I do to prepare a nsd to be slave? I know is possible, as > told by Stephen and the root servers managers. > > > Best Regards-- ___________________________________________________________________ Sven-Holger Wabnitz DSS Gesellschaft fuer Digitale Sicherheit mbH phone +49 2222 990-0 ** fax +49 2222 990-444 http://www.digital-security.com ** http://www.dominic.de>From the Portland Pattern Repository (de facto home of theextreme programming discipline), hosted by Cunningham & Cunningham. "Life's too short to write code that nobody wants."
[Quoting Alexis Yushin, on Jul 9, 17:22, in "Re: nsd running as s ..."]> Once Ted Lindgreen wrote: > ... > >There were good reasons to do it like this (keep the daemon light weight". > > > >However, people are looking into a plugin, reacting properly > >on incoming notifies. Plugings are supported as of version 1.2. > > Which would only be useful if NSD database is split into zones, as > opposed to one flat namespace we have now.Perhaps I mis something, but what I thought that people want is, just to run "nsdc update" when a notify arrives (in contrast to "when crontab thinks it's time"). The "nsdc update" will then do the right thing (rebuild the database and signal nsd when necessary or do nothing). A trivial plugin can do some sanity check on arrival of a notify and then fork and exec "nsdc update". The sanity check is wise to prevent vulnaribility for DoSsing by a notify flood. I guess a simple timer (ignore new notifies for xx seconds/minutes after having forked+execed) would suffice. -- ted