[volunteers] brie
Rick Moen
rick at linuxmafia.com
Wed Apr 25 12:54:58 PDT 2007
I wrote:
> On grueyere.
>
> DNS daemon package "NSD" is used, employes BIND-format zonefiles,
> hashed to improve performance and save RAM. It's a little different,
> but not very. The main thing is re-running the zonefile compiler
> ("zonec") after changing a zonefile, and then "nsdc restart" (IIRC) to
> HUP the daemon.
>
> I need to write a short recipe for that, and put it somewhere central,
> probably /usr/local/ . Which is where other sysadmin stuff on gruyere
> has been accumulating, such as my recipe for compiling an Ubuntu .deb of
> Lighthttpd, and my working files for same.
>
> The guts of NSD are in, of course, /etc/nsd/ .
OK, I've now written the promised documentation, and stored it as
/usr/local/src/nsd-instructions . Text follows:
---<snip>---
NSD is an authoritative-only DNS nameserver written from scratch by the
people who run the .nl (Netherlands) top-level domain. It does not
provide recursive service, so the machine on which it runs needs to have
access to a full-service nameserver somewhere, via reference in
/etc/resolv.conf.
NSD's advantages are high speed, small RAM footprint, and high security.
It does support IXFR/AXFR (etc.) zone transfers, and thus is fully usable
for both master and slave DNS service.
Although it uses the same zonefile format that BIND8/BIND9 does, it achieves
much higher performance, in part by using a hashed binary database.
Accordingly, whenever you modify one of its zonefiles, you must "compile" it
using the "zonec" compiler utility.
Runtime control of NSD is best asserted using the "nsdc" utility, whose syntax
and features are modeled on those of BIND's "rndc" utility.
NSD's main configuration file is /etc/nsd/nsd.zones , which has details
one zone per line, and has ";"-delimited header comments describing the
syntax for master ("primary") records, which typically feature a "notify"
IP list; and slave ("secondary") records, which feature a "masters" IP list.
Standard location for zonefiles is subdirectories "primary" and "secondary".
Your maintenance sequence will typically be like this:
1. "cd /etc/nsd/primary"
2. Edit svlug.org.zone or whatever in your choice of text editor. Don't
forget to increment the S/N value!
3. "cd .."
4. "zonec -v nsd.zones" This compiles the zone revision.
5. nsdc restart
6. Check your work, by doing "dig -t a www.svlug.org @ns1.svlug.org".
(Substitute an appropriate reference record for "-t a www.svlug.org"
to reflect whatever you worked on.) It's a good idea to at least
run "dig -t soa svlug.org @ns1.svlug.org" to verify that your S/N
update is reflected in actual DNS return values.
Further information on NSD is at this article:
http://hardware.newsforge.com/article.pl?sid=05/06/28/1618219&tid=65
---<snip>---
That directory also houses documentation file
lighttpd-ubuntu-build-instructions , which is as follows:
---<snip>---
Taken from:
http://trac.lighttpd.net/trac/wiki/TutorialInstallation?format=txt
{{{
$ apt-get install libpcre3-dev
$ apt-get install zlib1g-dev
}}}
Since lighttpd 1.4.8 the debian/ directory was removed to simplify the
inclusion into Ubuntu and Debian. If you want to build your own debian
package take the debian/ dir from a older release and update the
debian/changelog and follow the steps below:
{{{
$ wget http://www.lighttpd.net/download/lighttpd-1.4.7.tar.gz
$ wget http://www.lighttpd.net/download/lighttpd-1.4.8.tar.gz
$ gzip -cd lighttpd-1.4.7.tar.gz | tar xf -
$ gzip -cd lighttpd-1.4.8.tar.gz | tar xf -
$ cp -R lighttpd-1.4.7/debian lighttpd-1.4.8/
$ cd lighttpd-1.4.8
$ vi debian/changelog
### update the changelog entry to point to 1.4.8
$ dpkg-buildpackage
$ cd ..
$ dpkg -i lighttpd-1.4.8-1.i386.deb
}}}
Note: Ubuntu users will need to "apt-get install dpkg-dev" to be able to
use dpkg-buildpackage.
french translation here:
http://meister.intuxication.org/~meister/dotclear/index.php?2006/08/18/29-faire-un-deb-de-lighthttpd
---<snip>---
By the way, Lisa: I'm certainly not committed to using Lighttpd, but
you might want to give it a chance before lobbying for more RAM just so
we can use Apache httpd. Lighttpd is a very respected and very high
performance httpd, popular among the Ruby on Rails community in
particular.
Current versions of SVLUG's zonefiles (for svlug.{org|net|com}) are
attached.
-------------- next part --------------
$ORIGIN svlug.org.
$TTL 86400 ; 1 day
@ IN SOA ns1.svlug.org. root.svlug.org. (
2007011000 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
2419200 ; expire (28 days)
259200 ; negative TTL (3 days)
)
IN NS ns1.svlug.org.
IN NS ns2.svlug.org.
IN NS ns1.nylug.org.
IN NS ns3.svlug.org.
IN A 157.22.20.227
IN MX 10 svlug.org.
IN TXT "v=spf1 a mx ptr -all"
ftp IN A 157.22.20.227
lists IN A 157.22.20.227
IN MX 10 svlug.org.
mail IN A 157.22.20.227
IN MX 10 svlug.org.
svlug IN A 157.22.20.227
IN MX 10 svlug.org.
web IN A 157.22.20.227
www IN A 157.22.20.227
newwww IN A 157.22.20.228
; ns1 is SVLUG's Linode host.
ns1 IN A 64.62.190.98
; ns2 is Aaron T. Porter's ns.primate.net nameserver.
ns2 IN A 198.144.194.12
; ns3 is Rick Moen's ns1.linuxmafia.com nameserver.
ns3 IN A 198.144.195.186
;
;
; NOTES:
;
; 1: Increment zonefile serial after any change!
;
; 2: Domain NS records at registrar MUST be changed to
; match any NS-record changes here, and vice-versa. Test that the
; parent-zone records are correct and include glue "A" records
; for all nameservers by doing
; "dig -t ns svlug.org @tld1.ultradns.net"
;
; Returned text should be something like this (_note_ "A" records in
; "ADDITIONAL SECTION - those are glue, which speeds queries by averting
; the need for a second lookup to resolve NS hosts' names):
;
;
;; <<>> DiG 9.3.2 <<>> -t ns svlug.org @tld1.ultradns.net
;; (1 server found)
;;; global options: printcmd
;;; Got answer:
;;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41733
;;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;
;;; QUESTION SECTION:
;;svlug.org. IN NS
;
;;; AUTHORITY SECTION:
;svlug.org. 86400 IN NS ns3.svlug.org.
;svlug.org. 86400 IN NS ns2.svlug.org.
;svlug.org. 86400 IN NS ns1.svlug.org.
;svlug.org. 86400 IN NS ns1.nylug.org.
;
;;; ADDITIONAL SECTION:
;ns3.svlug.org. 86400 IN A 198.144.195.186
;ns2.svlug.org. 86400 IN A 198.144.194.12
;ns1.svlug.org. 86400 IN A 64.62.190.98
;ns1.nylug.org. 86400 IN A 69.31.90.145
;
;
; If there's not an "A" returned-text lines (glue record) for each
; and every NS line returend, then you've messed up and probably
; need to fix NS records at the registrar. (Note that the parent
; zone records, which you change when you edit the domain record
; for svlug.org, can have glue ONLY for *.org nameserver names,
; which is why we are assigning them ns*.svlug.org aliases.
;
; We should always makes sure we have no fewer than three
; and no more than seven _functional_ nameservers (RFC2182 section 5).
; This and many other aspects of DNS quality can be checked using
; http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.org
;
; 3. The domain record's Administrative and Technical
; contact names/phones/e-mails should be _distinct_ to avoid
; single point of failure.
;
; 4. Periodically verify that domain isn't near expiration, that all
; nameservers respond, and that contact information in the domain
; records still is good.
;
; 5. If using BIND9, people doing secondary DNS should include out-of-band
; contact info. in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.org" {
; type slave;
; allow-query { any; };
; file "/var/cache/bind/svlug.org.zone";
; masters {
; //ns1.svlug.org is:
; 64.62.190.98;
; };
; };
;
; If using BIND9, primary DNS should include out-of-band contact info.
; in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.org" {
; type master;
; allow-query { any; };
; file "/etc/bind/svlug.org.zone";
; allow-transfer {
; //Aaron T. Porter <atporter at primate.net>, [tel. no. redacted]
; //http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=atporter
; //ns2.svlug.org AKA ns.primate.net is:
; 198.144.194.12;
; //Rick Moen <rick at linuxmafia.com>, 650-283-7902
; //ns3.svlug.org AKA ns1.linuxmafia.com is:
; 198.144.195.186;
; //Ron Guerin and Tony Marchesano <spacey-admin-nylug at ssr.com>
; //[tel. no. redacted], [tel. no. redacted] (respectively)
; //ns1.nylug.org is:
; 69.31.90.145
; };
; };
;
;
; 6. To verify master nameserver functionality:
; "dig svlug.org @64.62.190.98 +short"
;
; 7. To verify each volunteer secondary nameserver's functionality:
; "dig svlug.org @198.144.194.12 +short"
; "dig svlug.org @198.144.195.186 +short"
; "dig svlug.org @69.31.90.145 +short"
;
; 8. Edit domain record to make NS roster match the full set of master +
; secondaries, exactly. Note that you will have to create a "glue record"
; in the registrar's domain records for each nameserver. Each registrar has
; a different name for this function, but they all have it somewhere in
; the domain-administrative screens.
;
; 9. After a few minutes' (~5) wait for domain chainges to propagate,
; use e.g., http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.org
; for an overall DNS health check.
;
; 10. Edit domain record's Administrative and Technical
; contact names/phones/e-mails as per SVLUG president's preference.
; Contacts should be _distinct_ to avoid single point of failure.
-------------- next part --------------
$ORIGIN svlug.net.
$TTL 86400 ; 1 day
@ IN SOA ns1.svlug.net. root.svlug.org. (
2007011200 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
2419200 ; expire (28 days)
259200 ; negative TTL (3 days)
)
IN NS ns1.svlug.net.
IN NS ns.primate.net.
IN NS ns2.svlug.net.
IN NS ns3.svlug.net.
IN A 157.22.20.227
IN MX 10 svlug.org.
IN TXT "v=spf1 a mx ptr -all"
ftp IN A 157.22.20.227
lists IN A 157.22.20.227
IN MX 10 svlug.org.
mail IN A 157.22.20.227
IN MX 10 svlug.org.
svlug IN A 157.22.20.227
IN MX 10 svlug.org.
web IN A 157.22.20.227
www IN A 157.22.20.227
newwww IN A 157.22.20.228
; ns1 is SVLUG's ns1.svlug.org nameserver.
ns1 IN A 64.62.190.98
; ns2 is Ron Guerin and Tony Marchesano's ns1.nylug.org nameserver.
ns2 IN A 69.31.90.145
; ns3 is Rick Moen's ns1.linuxmafia.com nameserver.
ns3 IN A 198.144.195.186
;
;
; NOTES:
;
; 1: Increment zonefile serial after any change!
;
; 2: Domain NS records at registrar MUST be changed to
; match any NS-record changes here, and vice-versa. Test that the
; parent-zone records are correct and include glue "A" records
; for all nameservers by doing
; "dig -t ns svlug.net @i.gtld-servers.net"
;
; Returned text should be something like this (_note_ "A" records in
; "ADDITIONAL SECTION - those are glue, which speeds queries by averting
; the need for a second lookup to resolve NS hosts' names):
;
;
;; (1 server found)
;;; global options: printcmd
;;; Got answer:
;;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24729
;;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;
;;; QUESTION SECTION:
;;svlug.net. IN NS
;
;;; ANSWER SECTION:
;svlug.net. 172800 IN NS ns.primate.net.
;svlug.net. 172800 IN NS ns1.svlug.net.
;svlug.net. 172800 IN NS ns2.svlug.net.
;svlug.net. 172800 IN NS ns3.svlug.net.
;
;;; ADDITIONAL SECTION:
;ns.primate.net. 172800 IN A 198.144.194.12
;ns1.svlug.net. 172800 IN A 64.62.190.98
;ns2.svlug.net. 172800 IN A 69.31.90.145
;ns3.svlug.net. 172800 IN A 198.144.195.186
;
;;; Query time: 260 msec
;;; SERVER: 192.43.172.30#53(192.43.172.30)
;;; WHEN: Wed Jan 10 21:24:45 2007
;;; MSG SIZE rcvd: 170
;
; If there's not an "A" returned-text lines (glue record) for each
; and every NS line returend, then you've messed up and probably
; need to fix NS records at the registrar. (Note that the parent
; zone records, which you change when you edit the domain record
; for svlug.net, can have glue ONLY for *.net nameserver names,
; which is why we are assigning them ns*.svlug.net aliases.
;
; We should always makes sure we have no fewer than three
; and no more than seven _functional_ nameservers (RFC2182 section 5).
; This and many other aspects of DNS quality can be checked using
; http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.net
;
; 3. The domain record's Administrative and Technical
; contact names/phones/e-mails should be _distinct_ to avoid
; single point of failure.
;
; 4. Periodically verify that domain isn't near expiration, that all
; nameservers respond, and that contact information in the domain
; records still is good.
;
; 5. If using BIND9, people doing secondary DNS should include out-of-band
; contact info. in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.net" {
; type slave;
; allow-query { any; };
; file "/var/cache/bind/svlug.net.zone";
; masters {
; //ns1.svlug.net is:
; 64.62.190.98;
; };
; };
;
; If using BIND9, primary DNS should include out-of-band contact info.
; in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.net" {
; type master;
; allow-query { any; };
; file "/etc/bind/svlug.net.zone";
; allow-transfer {
; //Aaron T. Porter <atporter at primate.net>, [tel. no. redacted]
; //http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=atporter
; //ns.primate.net is:
; 198.144.194.12;
; //Ron Guerin and Tony Marchesano <spacey-admin-nylug at ssr.com>
; //[tel. no. redacted], [tel. no. redacted] (respectively)
; //ns2.svlug.net AKA ns1.nylug.org is:
; 69.31.90.145;
; //Rick Moen <rick at linuxmafia.com>, 650-283-7902
; //ns3.svlug.net AKA ns1.linuxmafia.com is:
; //198.144.195.186;
; };
; };
;
;
; 6. To verify master nameserver functionality:
; "dig svlug.net @64.62.190.98 +short"
;
; 7. To verify each volunteer secondary nameserver's functionality:
; "dig svlug.net @198.144.194.12 +short"
; "dig svlug.net @69.31.90.145 +short"
; "dig svlug.net @198.144.195.186 +short"
;
; 8. Edit domain record to make NS roster match the full set of master +
; secondaries, exactly. Note that you will have to create a "glue record"
; in the registrar's domain records for each nameserver. Each registrar has
; a different name for this function, but they all have it somewhere in
; the domain-administrative screens.
;
; 9. After a few minutes' (~5) wait for domain chainges to propagate,
; use e.g., http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.net
; for an overall DNS health check.
;
; 10. Edit domain record's Administrative and Technical
; contact names/phones/e-mails as per SVLUG president's preference.
; Contacts should be _distinct_ to avoid single point of failure.
-------------- next part --------------
$ORIGIN svlug.com.
$TTL 86400 ; 1 day
@ IN SOA ns1.svlug.com. root.svlug.org. (
2007011200 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
2419200 ; expire (28 days)
259200 ; negative TTL (3 days)
)
IN NS ns1.svlug.com.
IN NS ns2.svlug.com.
IN NS ns3.svlug.com.
IN NS ns1.linuxmafia.com.
IN A 157.22.20.227
IN MX 10 svlug.org.
IN TXT "v=spf1 a mx ptr -all"
ftp IN A 157.22.20.227
lists IN A 157.22.20.227
IN MX 10 svlug.org.
mail IN A 157.22.20.227
IN MX 10 svlug.org.
svlug IN A 157.22.20.227
IN MX 10 svlug.org.
web IN A 157.22.20.227
www IN A 157.22.20.227
newwww IN A 157.22.20.228
; ns1 is SVLUG's Linode host.
ns1 IN A 64.62.190.98
; ns2 is Aaron T. Porter <atporter at primate.net>'s nameserver AKA ns.primate.net.
ns2 IN A 198.144.194.12
; ns3 is Ron Guerin and Tony Marchesano <spacey-admin-nylug at ssr.com>'s nameserver AKA ns1.nylug.org nameserver.
ns3 IN A 69.31.90.145
;
;
; NOTES:
;
; 1: Increment zonefile serial after any change!
;
; 2: Domain NS records at registrar MUST be changed to
; match any NS-record changes here, and vice-versa. Test that the
; parent-zone records are correct and include glue "A" records
; for all nameservers by doing
; "dig -t ns svlug.com @i.gtld-servers.net"
;
; Returned text should be something like this (_note_ "A" records in
; "ADDITIONAL SECTION - those are glue, which speeds queries by averting
; the need for a second lookup to resolve NS hosts' names):
;
;
;; (1 server found)
;;; global options: printcmd
;;; Got answer:
;;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22845
;;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;
;;; QUESTION SECTION:
;;svlug.com. IN NS
;
;;; ANSWER SECTION:
;svlug.com. 172800 IN NS ns1.linuxmafia.com.
;svlug.com. 172800 IN NS ns1.svlug.com.
;svlug.com. 172800 IN NS ns2.svlug.com.
;svlug.com. 172800 IN NS ns3.svlug.com.
;
;;; ADDITIONAL SECTION:
;ns1.linuxmafia.com. 172800 IN A 198.144.195.186
;ns1.svlug.com. 172800 IN A 64.62.190.98
;ns2.svlug.com. 172800 IN A 198.144.194.12
;ns3.svlug.com. 172800 IN A 69.31.90.145
;
;;; Query time: 240 msec
;;; SERVER: 192.43.172.30#53(192.43.172.30)
;;; WHEN: Wed Jan 10 14:15:10 2007
;;; MSG SIZE rcvd: 174
;
;
; If there's not an "A" returned-text lines (glue record) for each
; and every NS line returend, then you've messed up and probably
; need to fix NS records at the registrar. (Note that the parent
; zone records, which you change when you edit the domain record
; for svlug.com, can have glue ONLY for *.com nameserver names,
; which is why we are assigning them ns*.svlug.com aliases.
;
; We should always makes sure we have no fewer than three
; and no more than seven _functional_ nameservers (RFC2182 section 5).
; This and many other aspects of DNS quality can be checked using
; http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.com
;
; 3. The domain record's Administrative and Technical
; contact names/phones/e-mails should be _distinct_ to avoid
; single point of failure.
;
; 4. Periodically verify that domain isn't near expiration, that all
; nameservers respond, and that contact information in the domain
; records still is good.
;
; 5. If using BIND9, people doing secondary DNS should include out-of-band
; contact info. in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.com" {
; type slave;
; allow-query { any; };
; file "/var/cache/bind/svlug.com.zone";
; masters {
; //ns1.svlug.com is:
; 64.62.190.98;
; };
; };
;
; If using BIND9, primary DNS should include out-of-band contact info.
; in named.conf, like this:
;
; //For SVLUG, admin Rick Moen <rick at linuxmafia.com>, 650-283-7902
; zone "svlug.com" {
; type master;
; allow-query { any; };
; file "/etc/bind/svlug.com.zone";
; allow-transfer {
; //Aaron T. Porter <atporter at primate.net>, [tel. no. redacted]
; //http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=atporter
; //ns2.svlug.com AKA ns.primate.net is:
; 198.144.194.12;
; //Ron Guerin and Tony Marchesano <spacey-admin-nylug at ssr.com>
; //[tel. no. redacted], [tel. no. redacted] (respectively)
; //ns3.svlug.com AKA ns1.nylug.org is:
; 69.31.90.145;
; //Rick Moen <rick at linuxmafia.com>, 650-283-7902
; //ns1.linuxmafia.com is:
; //198.144.195.186;
; };
; };
;
;
; 6. To verify master nameserver functionality:
; "dig svlug.com @64.62.190.98 +short"
;
; 7. To verify each volunteer secondary nameserver's functionality:
; "dig svlug.com @198.144.194.12 +short"
; "dig svlug.com @69.31.90.145 +short"
; "dig svlug.com @198.144.195.186 +short"
;
; 8. Edit domain record to make NS roster match the full set of master +
; secondaries, exactly. Note that you will have to create a "glue record"
; in the registrar's domain records for each nameserver. Each registrar has
; a different name for this function, but they all have it somewhere in
; the domain-administrative screens.
;
; 9. After a few minutes' (~5) wait for domain chainges to propagate,
; use e.g., http://www.dnsreport.com/tools/dnsreport.ch?domain=svlug.com
; for an overall DNS health check.
;
; 10. Edit domain record's Administrative and Technical
; contact names/phones/e-mails as per SVLUG president's preference.
; Contacts should be _distinct_ to avoid single point of failure.
More information about the volunteers
mailing list