djbdns: More Than Just a Mouthful of Consonants

 in
Recently released into the public domain, djbdns is a fast and secure replacement for BIND.
Convenience Features

There are many other convenience features that tinydns offers. For example, with tinydns, you do not need to remember to increment the serial on the SOA record each time you change something in a zone file. tinydns automatically generates serials from the last-modified timestamp on the data file, which ensures that they are incremented whenever the file changes.

If you ever have had to migrate DNS for an active domain, you will appreciate per-record timestamps. You can specify an exact time in the future for a record to change, without worrying about how it is cached around the Internet. tinydns dynamically calculates the TTL as it responds to queries. For example, if you want to migrate samba.example.com from 192.168.10.25 to 192.168.10.35 at 2 AM on October 15, 2008, you can add the following two records:

=samba.example.com:192.168.10.25:0:4000000048f594fa
=samba.example.com:192.168.10.35::4000000048f594fa

The last field on these records is a TAI64 timestamp representing 2008-10-15 02:00:00. (See Resources for tips on generating TAI64 timestamps.)

A cache that requests the A record for samba.example.com at 1:50:00 AM on October 15, 2008, will receive a response of 192.168.10.25 with a TTL of 600 seconds (ten minutes). A cache that requests the same record at 1:59:45 AM will receive the same response, except with a TTL of 15 seconds. After 2:00 AM, tinydns will begin responding automatically with the new IP, 192.168.10.35. Because all prior responses were set to expire at exactly 2:00 AM, all caches will check back immediately for the new address.

It's the little things like this that make djbdns such a wonderful piece of software.

DNS Replication

BIND servers use zone transfers to replicate DNS data between servers. This process is rather complicated, has a history of problems and is not exactly easy to configure. Instead, Bernstein recommends using existing data transfer tools, such as rsync or scp, that are known to be fast, efficient and secure.

Let's add linux3.example.com as second DNS server for the example.com domain. Install djbdns on linux3 and configure tinydns as above (using the appropriate IP address). Update your data file on linux2 with the new record (anywhere in the file is fine):

.example.com::linux3.example.com

Next, update /service/tinydns/root/Makefile on linux2 with the new make target. Replace everything in the Makefile with the following:

remote: data.cdb
    rsync -az -e ssh data.cdb \
        192.168.10.30:/service/tinydns/root/data.cdb
data.cdb: data
    /usr/local/bin/tinydns-data

Be sure to use tabs instead of spaces at the beginning of the command lines in your Makefile. Now, when you run make it will compile data.cdb and immediately rsync it to linux3. We are using the IP for linux3 in the rsync command, because DNS should not rely on itself (it would fail if your DNS was broken). Also, you may want to create a special account for this purpose and configure passwordless ssh access using keys. Dan Bernstein provides more thorough instructions on his Web site for configuring DNS replication.

DNS without the Pain

As I hope you have seen, DNS does not have to be a headache. Although BIND is ubiquitous on Linux, djbdns is more secure, more efficient and simply easier to use. And, now that it has been released into the public domain, there are no longer any philosophical reasons for rejecting it. We've only briefly covered what djbdns has to offer, so I hope you will read the on-line documentation, download it and experiment with it yourself. If you ever have found yourself babysitting a BIND instance, you may want to consider giving djbdns a chance.

Cory Wright has an unhealthy obsession with DNS. Once the Lead DNS Systems Engineer for Rackspace, he is now a developer and sysadmin at www.natuba.com. He enjoys beating Will Reese at foosball and Wii Tennis. His Web site is at dnsfool.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

daemontools

Anonymous's picture

Focus should be on useability and safety.
To answer your questions - just for the records:

1) daemontools are an easy way to ensure that a program is run and restarted where necessary. Nowadays you also find 'runit' which works the same.

2) fine - you can put it somewhere else. 'runit' uses /etc/service

3) besides the fact that you can run qmail using a start-stop daemon, qmail is not exactly state of the art anymore

4) some very big sites are using tinydns. Why do you think that there is a speed problem?

5) yes. It is also possible to use vegadns which is a web based system to maintain tinydns records. Data is stored in a database; exported to tinydns using a shell command.

As djbdns is not open source binary distributions have become available.

daemontools....ach!

Anonymous's picture

1) why using daemon tools if linux has already other tools to lunch daemon and software ?
2) as a sysadmin i neglet to fill my "/" with not standard directories
3) Have You ever got problems trying to stop qmail or a piece of it ? ..(ask google) ..daemontools are simply...too much , sometime.Too much effort to keep daemons running, even when You have to stop them.
4) This is a question: how about speed?
5) Second question: importing zones from bind is possible?

StefanoA. rn- italy

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix