Asumptions and Clarifications
We are going to configure an existing two nsd server, one in powerpc mac mini and the other one in a vm with openbsd . We need to have one domain registered by us , in this case im using namecheap. I am not using nsd-control to administrate nsd, it is another option.
Configuring Zones without dnssec
In this chapter we are going to configure a zone in both nodes and test it how i can trasnfer it and how i can make any query to the new zone.
1. Preparing the Master node
It is necessary to create your zone file in /var/nsd/zones/master, they are several way to make this file, it is not the best configuration.
dalmine# cat restauradordeleyes.cloud.zone
$ORIGIN restauradordeleyes.cloud.
$TTL 300
@ 3600 IN SOA facundo.restauradordeleyes.cloud. restauradordeleyes.cloud. (
2021041320 ; serial
1440 ; refresh
3600 ; retry
4800 ; expire
600 ) ; minimum TTL
@ IN NS facundo.restauradoredeleyes.cloud.
@ IN NS estanislao.restauradoredeleyes.cloud.
facundo IN A IP_OF_MASTER
estanislao IN A IP_OF_SLAVE
www IN A IP_OF_WEB_SERVER
dalmine#
Then you can check it.
dalmine# nsd-checkzone restauradordeleyes.cloud restauradordeleyes.cloud.zone
zone restauradordeleyes.cloud is ok
dalmine#
Create the tsig key
You need to have installed the ldns tool and then use the contect of the private key.
dalmine# ldns-keygen -r /dev/urandom -a hmac-sha512 restaurador.cloud
Krestaurador.cloud.+165+35358
dalmine#
dalmine# ls -ltrh|grep -i restaurador.cloud
-rw------- 1 root wheel 148B Apr 13 22:41 Krestaurador.cloud.+165+35358.private
-rw-r--r-- 1 root wheel 123B Apr 13 22:41 Krestaurador.cloud.+165+35358.key
dalmine#
You need to add this part to your existing configuration:
key:
name: "restauradordeleyes.cloud"
algorithm: hmac-sha256
secret: "xxxxx=="
zone:
name: "restauradordeleyes.cloud"
zonefile: "master/restauradordeleyes.cloud.zone"
notify: IP_SLAVE restauradordeleyes.cloud
provide-xfr: IP_SLAVE restauradordeleyes.cloud
Then check the status of the main config.
dalmine# nsd-checkconf /var/nsd/etc/nsd.conf
dalmine# echo $?
0
dalmine#
dalmine# tail -f /var/log/nsd.log
[2021-04-13 23:04:36.148] nsd[4031]: notice: nsd starting (NSD 4.3.2)
[2021-04-13 23:04:36.149] nsd[4031]: notice: listen on ip-address 172.16.1.23@53 (udp) with server(s): *
[2021-04-13 23:04:36.149] nsd[4031]: notice: listen on ip-address 172.16.1.23@53 (tcp) with server(s): *
[2021-04-13 23:04:36.151] nsd[4031]: info: creating unix socket /var/run/nsd.sock
[2021-04-13 23:04:36.497] nsd[13397]: info: zone juanmanuelderosas.cloud read with success
[2021-04-13 23:04:36.498] nsd[13397]: info: rehash of zone juanmanuelderosas.cloud. with parameters 1 0 1 809a4ccb9ee6beb6
[2021-04-13 23:04:36.498] nsd[13397]: info: zone restauradordeleyes.cloud read with success
[2021-04-13 23:04:36.511] nsd[13397]: notice: nsd started (NSD 4.3.2), pid 34869
[2021-04-13 23:04:36.529] nsd[34869]: error: xfrd: zone restauradordeleyes.cloud: received notify response error NAME ERROR from 46.23.
93.139
The error is something you can check later because we do not have the second node configured.
Now do a short internal query.
dalmine# dig www.restauradordeleyes.cloud @172.16.1.23
; <<>> DiG 9.4.2-P2 <<>> www.restauradordeleyes.cloud @172.16.1.23
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64820
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.restauradordeleyes.cloud. IN A
;; ANSWER SECTION:
www.restauradordeleyes.cloud. 300 IN A WEB_SERVER_IP
;; AUTHORITY SECTION:
restauradordeleyes.cloud. 300 IN NS facundo.restauradoredeleyes.cloud.
restauradordeleyes.cloud. 300 IN NS estanislao.restauradoredeleyes.cloud.
;; Query time: 2 msec
;; SERVER: 172.16.1.23#53(172.16.1.23)
;; WHEN: Tue Apr 13 23:07:06 2021
;; MSG SIZE rcvd: 129
dalmine#
Now we are ready to continue with slave node.
dalmine# nsd-control zonestatus
zone: restauradordeleyes.cloud
state: master
dalmine#
2. Preparing the Slave node
Now we need to define those entries in the nsd.conf. You need to use the same key created in master node.
key:
name: "restauradordeleyes.cloud"
algorithm: hmac-sha256
secret: "xxxxx=="
zone:
name: "restauradordeleyes.cloud"
zonefile: "master/restauradordeleyes.cloud.zone"
allow-notify: IP_MASTER_NODE restauradordeleyes.cloud
request-xfr: IP_MASTER_NODE restauradordeleyes.cloud
3. Preparing the transfer Zone
Check it
mail# nsd-checkconf /var/nsd/etc/nsd.conf
mail# echo $?
0
mail#
mail# nsd-control zonestatus
zone: restauradordeleyes.cloud
state: ok
served-serial: "2021041320 since 2021-04-13T23:24:06"
commit-serial: "2021041320 since 2021-04-13T23:24:06"
wait: "1433 sec between attempts"
mail# nsd-control force_transfer restauradordeleyes.cloud
ok
mail#
mail# nsd-control zonestatus
zone: restauradordeleyes.cloud
state: ok
served-serial: "2021041320 since 2021-04-13T23:26:04"
commit-serial: "2021041320 since 2021-04-13T23:26:04"
wait: "1303 sec between attempts"
mail# tail -f /var/log/nsd.log
[2021-04-13 23:24:07.772] nsd[69984]: info: zone restauradordeleyes.cloud serial 0 is updated to 2021041320
[2021-04-13 23:24:30.926] nsd[69984]: info: new control connection from /var/run/nsd.sock
[2021-04-13 23:24:30.926] nsd[69984]: info: control cmd: zonestatus
[2021-04-13 23:26:05.030] nsd[69984]: info: new control connection from /var/run/nsd.sock
[2021-04-13 23:26:05.030] nsd[69984]: info: control cmd: force_transfer restauradordeleyes.cloud
[2021-04-13 23:26:05.055] nsd[69984]: info: xfrd: zone restauradordeleyes.cloud committed "received update to serial 2021041320 at 2021
-04-13T23:26:05 from 45.138.230.237 TSIG verified with key restauradordeleyes.cloud"
[2021-04-13 23:26:05.056] nsd[29229]: info: zone restauradordeleyes.cloud. received update to serial 2021041320 at 2021-04-13T23:26:05
from 45.138.230.237 TSIG verified with key restauradordeleyes.cloud of 252 bytes in 8.5e-05 seconds
[2021-04-13 23:26:05.064] nsd[69984]: info: zone restauradordeleyes.cloud serial 2021041320 is updated to 2021041320
[2021-04-13 23:26:13.970] nsd[69984]: info: new control connection from /var/run/nsd.sock
[2021-04-13 23:26:13.970] nsd[69984]: info: control cmd: zonestatus
mail# dig www.restauradordeleyes.cloud @localhost
; <<>> DiG 9.4.2-P2 <<>> www.restauradordeleyes.cloud @SLAVE_IP
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38179
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.restauradordeleyes.cloud. IN A
;; ANSWER SECTION:
www.restauradordeleyes.cloud. 300 IN A SLAVE_IP
;; Query time: 0 msec
;; SERVER: SLAVE_IP#53(SLAVE_IP)
;; WHEN: Tue Apr 13 23:29:33 2021
;; MSG SIZE rcvd: 62
mail#
mail# dig ANY restauradordeleyes.cloud. @SLAVE_IP +norec +short
;; Truncated, retrying in TCP mode.
facundo.restauradordeleyes.cloud. restauradordeleyes.cloud. 2021041320 1440 3600 4800 600
mail#
The zone is not there so you can force write it, i really do not know why is not there, this is something i need to read about how work that part.
mail# nsd-control write restauradordeleyes.cloud
ok
mail# tail -f /var/log/nsd.log
[2021-04-13 23:26:05.030] nsd[69984]: info: control cmd: force_transfer restauradordeleyes.cloud
[2021-04-13 23:26:05.055] nsd[69984]: info: xfrd: zone restauradordeleyes.cloud committed "received update to serial 2021041320 at 2021
-04-13T23:26:05 from 45.138.230.237 TSIG verified with key restauradordeleyes.cloud"
[2021-04-13 23:26:05.056] nsd[29229]: info: zone restauradordeleyes.cloud. received update to serial 2021041320 at 2021-04-13T23:26:05
from 45.138.230.237 TSIG verified with key restauradordeleyes.cloud of 252 bytes in 8.5e-05 seconds
[2021-04-13 23:26:05.064] nsd[69984]: info: zone restauradordeleyes.cloud serial 2021041320 is updated to 2021041320
[2021-04-13 23:26:13.970] nsd[69984]: info: new control connection from /var/run/nsd.sock
[2021-04-13 23:26:13.970] nsd[69984]: info: control cmd: zonestatus
[2021-04-13 23:27:49.764] nsd[29229]: info: writing zone restauradordeleyes.cloud to file master/restauradordeleyes.cloud.zone
[2021-04-13 23:28:55.232] nsd[82990]: info: axfr for villadalmine.club. from XXXXXX
[2021-04-13 23:33:14.455] nsd[69984]: info: new control connection from /var/run/nsd.sock
[2021-04-13 23:33:14.455] nsd[69984]: info: control cmd: write restauradordeleyes.cloud
mail# ls -ltrh
-rw-r--r-- 1 _nsd _nsd 575B Apr 13 23:38 restauradordeleyes.cloud.zone
mail#
You can test alos the axfr with dig
dig axfr example.com @ns1.example.com
dig axfr example.com @ns2.example.com
4. Tests
They are several web page to test the dns quality configuration.