Back in the good old days, I managed my DNS zones files by checking them into the repo, and then running svn up on the name servers. When I started using Let’s Encrypt, I stopped doing that because of the use of nsupdate.
This post outlines how I added two new zones to my nameservers:
- vbsdcon.org
- vbsdcon.com
The zone files
Here is the zone I created.
$ cat vbsdcon.org.db vbsdcon.org. 3600 IN SOA ns1.unixathome.org. soa.unixathome.org. 2019060400 10800 1800 1209600 86400 vbsdcon.org. 3600 IN NS ns1.unixathome.org. vbsdcon.org. 3600 IN NS ns2.unixathome.org. vbsdcon.org. 3600 IN NS ns3.unixathome.org. vbsdcon.org. 600 IN A 162.208.116.97 vbsdcon.org. 600 IN MX 10 in1-smtp.messagingengine.com. vbsdcon.org. 600 IN MX 20 in2-smtp.messagingengine.com. vbsdcon.org. 600 IN TXT "v=spf1 ~all" vbsdcon.org. 600 IN SPF "v=spf1 ~all" www.vbsdcon.org. 600 IN A 162.208.116.97
The vbsdcon.com.db file looked very similar.
First, I copied these file to dns-hidden-master:
[dan@mydev:~/dns-public-BRANCH] $ scp vbsdcon.com.db vbsdcon.org.db zones.primary zones.primary.for.secondary.servers dns-hidden-master: vbsdcon.com.db 100% 508 1.2MB/s 00:00 vbsdcon.org.db 100% 508 1.6MB/s 00:00 zones.primary 100% 6926 11.7MB/s 00:00 zones.primary.for.secondary.servers 100% 4536 10.6MB/s 00:00 [dan@mydev:~/dns-public-BRANCH] $
On my dns-hidden-master server, I added these files to /usr/local/etc/namedb/working/zones:
[dan@dns-hidden-master:/usr/local/etc/namedb/working/zones] $ sudo cp -i ~/vbsdcon.* .
I adjusted the ownership:
$ sudo chown bind:bind vbsdcon.* $ ls -l vbsdcon.* -rw-r--r-- 1 bind bind 508 Jun 4 18:19 vbsdcon.com.db -rw-r--r-- 1 bind bind 508 Jun 4 18:19 vbsdcon.org.db
The zone configuration files
In my named.conf file, I have this line:
include "zones.primary";
or perhaps:
include "zones.primary.for.secondary.servers";
On my secondary servers, here is the patch which shows what I added for my new zones:
+zone "vbsdcon.com" { + type master; + file "zones/vbsdcon.com.db"; + allow-transfer { AllowZoneTransfer; }; + update-policy { grant certs.int.unixathome.com zonesub TXT; }; + also-notify { SlaveServersToNotify; }; +}; + +zone "vbsdcon.org" { + type master; + file "zones/vbsdcon.org.db"; + allow-transfer { AllowZoneTransfer; }; + update-policy { grant certs.int.unixathome.org zonesub TXT; }; + also-notify { SlaveServersToNotify; }; +}; +
And for secondaries:
+zone "vbsdcon.org" { + type slave; + file "secondary/vbsdcon.org.db"; + masters { HiddenMaster; }; + allow-transfer { AllowZoneTransfer; }; + notify no; +}; + +zone "vbsdcon.com" { + type slave; + file "secondary/vbsdcon.com.db"; + masters { HiddenMaster; }; + allow-transfer { AllowZoneTransfer; }; + notify no; +}; +
I reloaded named on dns-hidden-master via:
service named reload
I did similar on each DNS host so they could pick up the new zone files.
This seems to have worked, but I may have missed a step in my documentation above.