Jul's page (Hungarian) : Jul's packages : djbdns-conf : frequently asked questions

Service creation

How can I do secondary name service?

Answer: First, create a slaves subdirectory into root/ dir if it does not exists, and create a slaves/masters file:

     su -
     cd /etc/tinydns
     mkdir slaves
     cp /package/admin/djbdns-conf/etc/masters.in slaves/masters

Then you can run tinydns-rebuild from crontab. The automatically generated Makefile is useful:

     MAILTO=""
     0 1,13 * * * dnsadmin make -C /etc/tinydns/root cron

If you want to do secondary via ssh, install djbdns with multiple tinydns-data files patch, and djbdns-conf to the remote side. Create a dnsread account, which is in the dnsadmin group (as dnsadmin user itself). Generate ssh keys with no password to the local dnsadmin user, and add the new public key (it can be either ~dnsadmin/.ssh/identity.pub for SSH1 or ~dnsadmin/.ssh/id_dsa.pub for SSH2) to the remote dnsread user's ~/.ssh/authorized_keys (SSH1) or ~/.ssh/authorized_keys2 (SSH2) file. Here's an example for the SSH2 version:

     su - dnsadmin
       (type in your dnsadmin password)
     ssh-keygen -d
       (press enters until the prompt appears again)
     cat .ssh/id_dsa.pub | ssh dnsread@<remotehost> 'mkdir -p .ssh;
umask 077; cat - >> .ssh/authorized_keys2'
       (allow ssh to register remotehost to his .ssh/known_hsots2 and
type in remote host's dnsread password)

Make local /etc/tinydns fully writable by dnsadmin user, and remote /etc/tinydns readable by dnsadmin group. Make local /etc/tinydns/slaves accessible only by dnsadmin user. You can do it symmetrically on all hosts:

     su -
     cd /etc/tinydns
     chmod 2750 .
     chown -R dnsadmin:dnsadmin .
     chmod 644 *.conf
     chmod 2700 slaves
     chmod 600 slaves/masters

How can I do dynamic name service to Unix clients?

Answer: Do it with ssh2. Create a private key for each client with no password, and put their public counterparts to dnsadmin's ~/.ssh/authorized_keys file like this (of course, to one line):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/home/dnsadmin/bin/regdyn clientname domainname" public key

Change /home/dnsadmin to dnsadmin's home directory, clientname to the client's name, and public key to client's public key.

~/bin/regdyn can look like this:

#!/bin/sh

umask 077
HOST=$1
DOM=$2
read IP

DNSROOT=/etc/tinydns/root
SMTPROOT=/service/smtpd  

REGFILE="$DNSROOT/dyn.conf"
TCPFILE="$SMTPROOT/tcp"

if [ ! -e $REGFILE ]; then
        touch $REGFILE
fi
  
TMP=`mktemp /tmp/regdyn.XXXXXX`
grep -v "^\+${HOST}\.${DOM}:" $REGFILE > $TMP
echo "+${HOST}.${DOM}:${IP}:60" >> $TMP
cp $TMP $REGFILE
make -C $DNSROOT cron-local
rm $TMP

# Register IP to SMTP service
ALLOWED=":allow,RELAYCLIENT=\"\",DNSNAME=\"${HOST}\""
grep -F -v $ALLOWED $TCPFILE > $TMP
echo "$IP$ALLOWED" >> $TMP
cp $TMP $TCPFILE
sudo make -C $SMTPROOT
rm $TMP

Then, give /service/smtpd/tcp to dnsadmin with write access (chown dnsadmin /service/smtpd/tcp; chmod 644 /service/smtpd/tcp; chmod 755 /service/smtpd), and give sudo make -C /service/smtpd access to dnsadmin (write ``dnsadmin ALL=(root) NOPASSWD: /usr/bin/make -C /service/smtpd'' to /etc/sudoers).

Our framework is done. Now comes the client configuration. We assume that clients are configured.

The most important thing is to install client's private key to /root/.ssh/id_dsa with right privileges (chown root:root /root/.ssh/id_dsa; chmod 600 /root/.ssh/id_dsa). Then test the connection with echo 127.0.0.1 | ssh dnsadmin@<servername>.

Insert at the end of your /etc/ppp/ip-up (or /etc/ppp/ip-up.local if ip-up script asks you to do so):

echo $3 | ssh dnsadmin@<servername>

You won't need to give command line nor parameters to ssh, because the command is set by client key.

Don't forget to delegate your dynamic domain.