djbdns: More Than Just a Mouthful of Consonants
There are many other convenience features that tinydns offers. For example, with tinydns, you do not need to remember to increment the serial on the SOA record each time you change something in a zone file. tinydns automatically generates serials from the last-modified timestamp on the data file, which ensures that they are incremented whenever the file changes.
If you ever have had to migrate DNS for an active domain, you will appreciate per-record timestamps. You can specify an exact time in the future for a record to change, without worrying about how it is cached around the Internet. tinydns dynamically calculates the TTL as it responds to queries. For example, if you want to migrate samba.example.com from 192.168.10.25 to 192.168.10.35 at 2 AM on October 15, 2008, you can add the following two records:
The last field on these records is a TAI64 timestamp representing 2008-10-15 02:00:00. (See Resources for tips on generating TAI64 timestamps.)
A cache that requests the A record for samba.example.com at 1:50:00 AM on October 15, 2008, will receive a response of 192.168.10.25 with a TTL of 600 seconds (ten minutes). A cache that requests the same record at 1:59:45 AM will receive the same response, except with a TTL of 15 seconds. After 2:00 AM, tinydns will begin responding automatically with the new IP, 192.168.10.35. Because all prior responses were set to expire at exactly 2:00 AM, all caches will check back immediately for the new address.
It's the little things like this that make djbdns such a wonderful piece of software.
BIND servers use zone transfers to replicate DNS data between servers. This process is rather complicated, has a history of problems and is not exactly easy to configure. Instead, Bernstein recommends using existing data transfer tools, such as rsync or scp, that are known to be fast, efficient and secure.
Let's add linux3.example.com as second DNS server for the example.com domain. Install djbdns on linux3 and configure tinydns as above (using the appropriate IP address). Update your data file on linux2 with the new record (anywhere in the file is fine):
Next, update /service/tinydns/root/Makefile on linux2 with the new make target. Replace everything in the Makefile with the following:
remote: data.cdb rsync -az -e ssh data.cdb \ 192.168.10.30:/service/tinydns/root/data.cdb data.cdb: data /usr/local/bin/tinydns-data
Be sure to use tabs instead of spaces at the beginning of the command lines in your Makefile. Now, when you run make it will compile data.cdb and immediately rsync it to linux3. We are using the IP for linux3 in the rsync command, because DNS should not rely on itself (it would fail if your DNS was broken). Also, you may want to create a special account for this purpose and configure passwordless ssh access using keys. Dan Bernstein provides more thorough instructions on his Web site for configuring DNS replication.
As I hope you have seen, DNS does not have to be a headache. Although BIND is ubiquitous on Linux, djbdns is more secure, more efficient and simply easier to use. And, now that it has been released into the public domain, there are no longer any philosophical reasons for rejecting it. We've only briefly covered what djbdns has to offer, so I hope you will read the on-line documentation, download it and experiment with it yourself. If you ever have found yourself babysitting a BIND instance, you may want to consider giving djbdns a chance.
Google Disappearing Act: tinyurl.com/ckx6x
DNS Fool Tips: www.dnsfool.com/tips
How to Install djbdns, by D. J. Bernstein: cr.yp.to/djbdns/install.html
Paul Jarc's cache-effect.pl: code.dogmap.org/djbdns
Mike Babcock's dnscacheproc.py: mikebabcock.ca/code/dnscacheproc
Replicating Your DNS Service: cr.yp.to/djbdns/run-server.html#replicate
Win an iPhone 6
Enter to Win
|Non-Linux FOSS: Install Windows? Yeah, Open Source Can Do That.||Nov 24, 2015|
|Cipher Security: How to harden TLS and SSH||Nov 23, 2015|
|Web Stores Held Hostage||Nov 19, 2015|
|diff -u: What's New in Kernel Development||Nov 17, 2015|
|Recipy for Science||Nov 16, 2015|
|Firefox's New Feature for Tighter Security||Nov 13, 2015|
- Non-Linux FOSS: Install Windows? Yeah, Open Source Can Do That.
- Cipher Security: How to harden TLS and SSH
- Firefox's New Feature for Tighter Security
- How Will the Big Data Craze Play Out?
- Web Stores Held Hostage
- It's a Bird. It's Another Bird!
- Libreboot on an x60, Part II: the Installation
- November 2015 Issue of Linux Journal: System Administration
- Strengthening Diffie-Hellman in SSH and TLS
- diff -u: What's New in Kernel Development