0
I've recently got my first BIND server up & running, and one of the first things I did after getting it working was to copy some of the configuration files to my virtual machine.
EDIT: These servers will never run in parallel. I only run the virtual server when I am booted into Windows, so I want them to appear identical. They have the same MAC addresses, IP addresses and hostnames.
I have a static IPv6 address and a legit DNS name, and am afraid that the second BIND server I configured will never be trusted by any other DNS client / resolver or server.
What files would I need to copy over from the trusted server to the machine seen as a man-in-the-middle?
I plan on reading this O'Reilly chapter, but it looks far too heavy for this moment in time...
In my case, both machines are running Ubuntu Server, and the latest BIND9 releases from the main apt repositories.
UPDATE: Having copied everything in /etc/bind/ from the properly authenticating machine (Virtual machine) to the other (physical) partition, I am still getting issues with dynamic dns updates for ipv6 clients.
The server is running a Teredo IPv6 tunneling interface (tspc) and the router advertisement daemon (radvd) to advertise the IPv6 tunnel to other machines on my network. To illustrate it's potential whilst demonstrating the problem, on a Windows client:-
> ipconfig /renew
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : example.com
IPv6 address. . . . . . . . : 2001:<48bits>::random64bits <From Server>
Temporary IPv6 Address . . . . : 2001:<48bits>::2ndrandom64bits<also from server>
Link-Local IPv6 Address . . . . : fe80::<64bits>%10
Ipv4 Address
....
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . : 2001: completely random 112 bits
Link-local IPv6 Address . . . . : fe80::another random address
Default gateway . . . . . . :
Tunnel adapter isatap.example.com:
Media State . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : example.com
And when I run that ipconfig /renew
command on the windows client, I then see this error in the bind server log:-
05-Aug-2011 22:21:14.946 update-security: error: client fe80::<Link-local IPv6 address>%2#57124: view internal-view: update 'example.com/IN' denied
This looks like a misconfiguration, but I never saw this error on the virtual machine. The update restrictions I have in place for the view and forward zone in question are:-
allow-update { key "rndc-key"; };
When using rndc-key, I have to create a key file in /var/cache/bind/ i.e.:-
touch /var/cache/bind/<reallylongnumber>.mkeys
;
otherwise I get a 'file not found' error in the bind log. Essentially, I copy the file name I see in the error log, that named says it can't find, and just create an empty file.
I haven't yet checked whether these file names in /var/cache/bind are the same on both the physical and virtual machine. I'm pretty sure it was empty on the virtual machine though too, although don't know whether the name is randomly generated (and then cached) or not...
So I am wondering whether there is some other cache somewhere (I've looked in /var/cache and /var/run) that stores some other information relating to these rndc-keys or perhaps something else (machine ssl certificate?).
Otherwise, could it be a problem with the client not trusting the server? Having double checked, the MAC addresses are not identical between the virtual server and physical machine. Could this seem like a compromised system to a client? Should I just change the host name but keep the same IP address to keep DNS resolving?
Also perhaps of use, I found this BIND option today - multi-master yes ;
although I imagine it's directed for master's running simultaneously..
Any thoughts on the easiest (and best) option? Any and all suggestions welcomed gratefully...
Copying the zone files and bind config will not work as the 2nd server has to be a slave server and not a master as the 1st is and the configuration is different. – laurent – 2011-07-19T00:16:27.103
I was not suggesting that, I was just suggesting what to backup ;-) – Astron – 2011-07-19T00:27:29.580
@Astron. I've sync'd the named.conf and db.* files, which are in /etc/bind, but nothing like the rndc-key or any other identifier / encryption key. Thanks for the link. I was hoping for a brief answer that would save me from reading reams of documentation... – Alex Leach – 2011-07-20T08:36:13.823
@Laurent. No, I both want them to appear as master for the zone, as I don't run them at the same time. Sorry, my bad. – Alex Leach – 2011-07-20T08:36:36.960
ok - @astron: I will only be able to remove the downvote if you edit your answer. – laurent – 2011-07-20T22:32:31.977
@laurent I updated my answer. – Astron – 2011-07-26T23:46:18.890