How to dynamically add and remove zones?

Dear colleagues,

I’m not very familiar with nameserver software but it seems NSD is a quite simple and robust solution for me. But I wonder how I can dynamically add or remove zones without restarting the deamon?

I’ve used the command ‘nsd-control addzone example.com {pattern-name}’ but it does not do anything except writing that to ‘/var/lib/nsd/zone.list’. What do I have to do when I dynamically want to add or remove zones without downtime of the primary nameserver (master)?

Kind regards,
Kaulkwappe

Hi Kaulkwappe,

Dear colleagues,

I'm not very familiar with nameserver software but it seems NSD is a
quite simple and robust solution for me. But I wonder how I can
dynamically add or remove zones without restarting the deamon?

If that pattern contains a zone file name, eg. something with the '%s'
that is replaced with the zone name, like "zones/%s.zone". Then you can
put the zonefile with the data in that position. Then perform the
nsd-control. And it loads the zone into memory straight away and starts
serving it.

If the zone is transferred from another server, include the request-xfr
in the pattern, and when you add the zone it is then transferred and
service starts.

NSD writes the zone and pattern names to the zone.list file, so that it
remembers the zone has been added when you restart the server. When you
remove it it is removed from memory and service (the zonefile is not
deleted by NSD), and the entry in the zone.list file is deleted by NSD.

You can also edit the zone into the nsd.conf config file (or another
config file included into it), and nsd-control reconfig. The include
statement can take wildcards, eg. include: "zones/*.conf" and that can
be nice if you like to just put a file into the dir and reconfig.

Removal then works by editing nsd.conf to remove the zone and then
reconfig. Or delete the zone.conf file and then reconfig.

Best regards, Wouter

Hi Wouter,

first, thanks a lot for your fast messag! I’ll try that out soon.

May I ask another question? I want to have two or three nameservers, so one Master and one or two Slaves. There are some opportunities like AXFR but I’m afraid of loosing synchronicity. As I want all servers to provide the same data the same time what would be the best approach for doing this? Is it a good approach to directly transfer files automatically over SSH from the Master to the Slaves when there are changes or should I use AXFR?

Kind regards,
Kaulkwappe

Hi,

May I ask another question? I want to have two or three nameservers, so one
Master and one or two Slaves. There are some opportunities like AXFR but I'm
afraid of loosing synchronicity. As I want all servers to provide the same data
the same time what would be the best approach for doing this? Is it a good
approach to directly transfer files automatically over SSH from the Master to
the Slaves when there are changes or should I use AXFR?

You can set up your slaves in master mode. Then you can copy your zone
files from the master to the slaves using scp or rsync, and reload NSD
to make it re-read the updated zone files. However, this is more
cumbersome and increases the chance of failure.

AXFR is a perfectly fine mechanism to use for keeping slaves
synchronised with the master, and I recommend it. If you send NOTIFY
messages from the master to the slaves, then they should update almost
immediately after the master is updated.

Regards,
Anand

Hi,

as it was written to add/remove zone could be nsd-control used.

To be full automatic, try to combine

there is a nice post about it on

And another link to the same site greetings Jan-Piet
https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
s/

Depends on the master you have, but the idea on slave NSD is as follow

run nsnotify on the slave on port 5353
from master add nofify also on this port
   notify: slave@53
   notify: slave@5353

the nsnotifyd script should be like
- find if zone exists
    nsd-control zonestatus | grep ^zone | awk '{print $2}' | grep
"^${ZONE}$"
- if not ad the zone
    nsd-control addzone ${ZONE} pattern

For removing the zone could the the meta.meta zone used as described
on the post above.

If need could help, free of charge of course

  regards
    Peter

Hi,

May I ask another question? I want to have two or three
nameservers, so one Master and one or two Slaves. There are some
opportunities like AXFR but I'm afraid of loosing synchronicity.
As I want all servers to provide the same data the same time what
would be the best approach for doing this? Is it a good approach
to directly transfer files automatically over SSH from the Master
to the Slaves when there are changes or should I use AXFR?

You can set up your slaves in master mode. Then you can copy your
zone files from the master to the slaves using scp or rsync, and
reload NSD to make it re-read the updated zone files. However, this
is more cumbersome and increases the chance of failure.

AXFR is a perfectly fine mechanism to use for keeping slaves
synchronised with the master, and I recommend it. If you send
NOTIFY messages from the master to the slaves, then they should
update almost immediately after the master is updated.

Regards, Anand _______________________________________________
nsd-users mailing list nsd-users@NLnetLabs.nl
https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

- --
*Peter Hudec*
Infraštruktúrny architekt
phudec@cnc.sk <mailto:phudec@cnc.sk>

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2 35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>

Dear colleagues,

that means that zones are not created and removed but only updated by AXFR, is that correct?

So when I have a new zone I have to create it on both master and slave. I thought it is enough to create it on the master and then the new created zone is automatically transferred to the slave.

Kind Regards,
Kaulkwappe

Dear colleagues,

that means that zones are not created and removed but only updated by AXFR, is
that correct?

Yes.

So when I have a new zone I have to create it on both master and slave. I
thought it is enough to create it on the master and then the new created zone is
automatically transferred to the slave.

Correct.

Regards,
Anand

What is the exact reason for this behaviour? Shouldn’t slave servers always provide the same data as the master?

absolutely, but the servers' roles are assigned per zone rather than being
designations per server. Data are transferred via [AI]XFR per zone.
Assigning a role to the server is a configuration issue not covered
in the core DNS protocol.

-Peter

There's nothing in the DNS protocol to tell one DNS server to become a
slave of another for a particular zone. DNS server configuration is
*independent* of the protocol. The operator has to tell a DNS server
which zones to serve, and whether they are master zones or slave zones.

Some DNS servers, such as PowerDNS have features to allow a master to
configure slaves automatically, but this is not a standard feature, and
NSD certainly does not have this feature.

Regards,
Anand

I understand. Well then I will create an own implementation for this : )

I’ve used PowerDNS before but switched to NSD because NSD in my opinion is more lightweight, cleaner and works more comprehensible.

When I use a slave server I wonder about something:

Why do I need zone files when the data is stored into /var/lib/nsd/nsd.db and so the zone files remain empty?

Hey Kaulkwappe (is that your name?),

When I use a slave server I wonder about something:

Why do I need zone files when the data is stored into /var/lib/nsd/nsd.db and so
the zone files remain empty?

On a slave server with all the zone data in nsd.db, there's no need for
plain text zone files.

However, the recommendation these days is to NOT use the database.
Instead, use this setting in your config file:

database: ""

This will write out the slave zones to disk in plain text. This mode
uses less memory, and is more robust. Support for the database mode may
disappear completely in a future release of NSD.

Regards,
Anand

Anand, I really appreciate your fast answer. Thanks, that helps.

But what I still not understand, after I’ve changed the setting database: to “” is that the zone files still remain empty after update. I only can find files like that under /tmp:

/tmp/nsd-xfr-1383/nsd.1383.task.0

Is Kaulkwappe your name? Do you have an easier-to-type nickname?

But what I still not understand, after I've changed the setting database: to ""
is that the zone files still remain empty after update. I only can find files
like that under /tmp:

/tmp/nsd-xfr-1383/nsd.1383.task.0

Read documentation about the "zonefiles-write" option in the nsd.conf
man page; you'll get your answer. And while you're at it, read the
complete man page carefully, before you ask any more questions

Regards,
Anand

Okay, Sir! Thanks anyway for helping