resolver<\/em>, then, is a server which answers to all kinds of queries by clients and does the resolving work for them. Recursive name servers are no source of original information as they get every piece of information they know from authoritative name servers. Resolvers work in between the authoritative name servers and clients and by caching the results obtained in previous queries, they can reduce the traffic leaving a network and the load on authoritative name servers. So a recursive name server is fine if it\u2019s not openly queriable by everyone, but only a specified range of clients.<\/p>\n\n\n\nRecursive and authoritative server functions may reside in the same server instance but I would discourage it on the principle that authoritative name servers shouldn\u2019t do recursion at all. That is on the grounds of performance issues and possible easy misconfiguration. In this example, the recursive function is altogether disabled in BIND configuration, and NSD isn\u2019t even capable of doing recursion.<\/p>\n\n\n\n
NicTool preparations and prerequisites<\/h2>\n\n\n\n Now it\u2019s time to install NicTool. First NicTool prerequisites are satisfied, then NicTool files are installed and the system configuration is done.<\/p>\n\n\n\n
MariaDB (practically the GPL fork of Oracle MySQL) SQL DBMS is needed for information storage. Install MariaDB on ns1:<\/p>\n\n\n\n
yum install mariadb mariadb-server mariadb-devel\nsystemctl enable mariadb\nsystemctl start mariadb<\/pre>\n\n\n\nApache web server is required for serving the frontend and we really want it secured. Install Apache with mod_ssl and Perl:<\/p>\n\n\n\n
yum install httpd httpd-devel mod_ssl epel-release\nyum install mod_perl mod_perl-devel<\/pre>\n\n\n\nNote: You should check whether the epel-release fingerprint is valid, below an example:<\/em><\/p>\n\n\n\nRetrieving key from file:\/\/\/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-EPEL-7\nImporting GPG key 0x352C64E5:\n Userid : \"Fedora EPEL (7) <epel@fedoraproject.org>\"\n Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5\n Package : epel-release-7-11.noarch (@extras)\n From : \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-EPEL-7\nIs this ok [y\/N]: y<\/pre>\n\n\n\nsystemctl enable httpd<\/pre>\n\n\n\nInstall some Perl and other related stuff to satisfy NicTool install dependencies:<\/p>\n\n\n\n
yum install curl gcc make gettext gettext-devel rsync libxml2 libxml2-devel perl-Net-IP perl-XML-Parser perl-XML-LibXML perl-Digest-HMAC perl-ExtUtils-MakeMaker\nyum install cpan perl-Module-Build perl-LWP-Protocol-https<\/pre>\n\n\n\nGet the NicTool bundle and prepare it for installation. By default, NicTool is to be installed to \/usr\/local<\/tt> but I decided it\u2019s a more suitable and state-of-the-art way to install this kind of blob into \/opt<\/tt>:<\/p>\n\n\n\ncd \/opt\nwget https:\/\/github.com\/msimerson\/NicTool\/archive\/master.zip\nyum install unzip -y && unzip master.zip\nmv NicTool-master nictool\nrm master.zip<\/pre>\n\n\n\nAdd a user account for syncing the config files and chown<\/tt> NicTool files to the new user:<\/p>\n\n\n\nuseradd -d \/opt\/nictool -c \"nssync user\" -rU -s \/bin\/sh nssync\nchown nssync: nictool\/<\/pre>\n\n\n\nOn many systems, there already exists a bind<\/tt> user account but as a little extra security measure, I decided to go for a totally separate account. That\u2019s because I want to allow NicTool to alter only specific config files \u2013 not everything that bind<\/tt> user has write access to.<\/p>\n\n\n\nInstalling NicTool files and dependencies<\/h2>\n\n\n\n
Run NicTool install scripts which install NicTool and seek to fulfil its dependencies:<\/p>\n\n\n\n
cd nictool\/client\/\nperl bin\/install_deps.pl\nperl Makefile.PL; make; make install clean\ncd ..\/server\/\nperl bin\/nt_install_deps.pl\nperl Makefile.PL; make; make install clean<\/pre>\n\n\n\nSome dependencies might fail installation and it\u2019s not a big deal. Just install them directly from CPAN.<\/p>\n\n\n\n
The following modules failed installation:\nApache::DBI\nBIND::Conf_Parser\nCrypt::KeyDerivation\nCrypt::Mac::HMAC\nCryptX\nNet::DNS::ZoneFile<\/pre>\n\n\n\nAs of July 2018 perl-CGI has to be also installed from CPAN because the prepackaged version isn\u2019t new enough:<\/p>\n\n\n\n
yum remove perl-CGI\ncpan\n> install CGI Apache::DBI BIND::Conf_Parser Crypt::KeyDerivation Crypt::Mac::HMAC CryptX Net::DNS::ZoneFile\n> quit<\/pre>\n\n\n\nNow everything should be ready for setting up the NicTool itself.<\/p>\n\n\n\n
NicTool system configuration<\/h2>\n\n\n\n Here the NicTool database and NicTool\u2019s own base configuration are set up.<\/p>\n\n\n\n
First the SQL database is to be initialized:<\/p>\n\n\n\n
# cd sql\/\n# perl create_tables.pl<\/pre>\n\n\n\nEnter the database hostname and root password (that\u2019s empty for default installs).<\/p>\n\n\n\n
Enter parameters for creating the NicTool MariaDB user and the db itself;nictool<\/tt> are fine. Database password should be different from any other password as it\u2019s used only with the database connection.<\/p>\n\n\n\n
creating the nictool \u2018root\u2019 admin account in the db:
You should probably record the information the script gives you.<\/p>\n\n\n\n
Now to do NicTool server\u2019s system configuration.<\/p>\n\n\n\n
# cd ..\/lib\n# cp nictoolserver.conf.dist nictoolserver.conf<\/pre>\n\n\n\nEdit nictoolserver.conf<\/tt>, define the previously set database password in the nictoolserver.conf<\/tt> config file, and check the other config parameters are correct.<\/p>\n\n\n\n
Then configuring the NicTool client.<\/p>\n\n\n\n
# cd ..\/..\/client\/lib\/\n# cp nictoolclient.conf.dist nictoolclient.conf<\/pre>\n\n\n\nEdit nictoolclient.conf<\/tt>:<\/p>\n\n\n\n\nchange \/usr\/local\/nictool\/client<\/tt> to \/opt\/nictool\/client<\/tt><\/li>\n\n\n\nhere are the parameters to be used for default DNS values.<\/li>\n<\/ul>\n\n\n\nNicTool system configuration should be fine now but NicTool is yet waiting for the web server setup before it can be accessed.<\/p>\n\n\n\n
Web server setup with Apache and Let’s Encrypt<\/h2>\n\n\n\n NicTool client (frontend) is served with Apache web server, at this step it is going to be installed with encryption.<\/p>\n\n\n\n
Let\u2019s Encrypt<\/h3>\n\n\n\n Install the Let\u2019s Encrypt package:<\/p>\n\n\n\n
yum install python2-certbot-apache\nsystemctl start httpd<\/pre>\n\n\n\nEdit \/etc\/httpd\/conf.d\/default_vhost.conf<\/tt> to accommodate Let\u2019s Encrypt temporary config, replace the server name with your domain and subdomain:<\/p>\n\n\n\n<VirtualHost _default_:80>\n DocumentRoot \"\/var\/www\/html\"\n ServerName ns1.example.com<\/span>\n<\/VirtualHost><\/pre>\n\n\n\nThe CentOS template on UpCloud includes firewalls,<\/tt> which blocks DNS, HTTP and HTTPS connections by default. Enable these with the following commands.<\/p>\n\n\n\nfirewall-cmd --permanent --add-service http\nfirewall-cmd --permanent --add-service https\nfirewall-cmd --permanent --add-service dns\nfirewall-cmd --reload<\/pre>\n\n\n\nThen, the real thing of this step asking for certbot<\/tt> to issue and install a new certificate:<\/p>\n\n\n\ncertbot --apache -d ns1.example.com<\/span><\/pre>\n\n\n\nFollow the instructions to complete the certificate acquisition. In the last question about whether to redirect HTTP traffic to the encrypted channel, choose yes.<\/p>\n\n\n\n
\"Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\"\n-> answer 2<\/tt>.<\/pre>\n\n\n\n Let\u2019s Encrypt should request and install a new certificate, and modify the default vhost<\/tt> to make it redirect to HTTPS.<\/p>\n\n\n\n
Make certbot<\/tt> renew the certificates regularly by adding an entry to \/etc\/crontab<\/tt>:<\/p>\n\n\n\n16 2 * * 7 root \/usr\/bin\/certbot renew -n --apache<\/pre>\n\n\n\nThis tells cron<\/tt> to run the command as the \u2018root\u2019 user every Sunday (\u20187\u2019) at 2:16 o\u2019clock.<\/p>\n\n\n\nApache<\/h3>\n\n\n\n
Then to hone the Apache config. At a CentOS setup, begin by blanking the default ssl.conf<\/tt>. I backed it up to \/root<\/tt>. Blanking the file prevents system updates from replacing it.<\/p>\n\n\n\n
On other distributions or OS\u2019es, your procedure may vary, but the desired config is presented later.<\/em><\/p>\n\n\n\ncp \/etc\/httpd\/conf.d\/ssl.conf \/root\/\necho > \/etc\/httpd\/conf.d\/ssl.conf\n<\/pre>\n\n\n\nGet the NicTool example config for Apache:<\/p>\n\n\n\n
cd \/etc\/httpd\/conf.d\/\nwget http:\/\/www.nictool.com\/download\/nictool-24.conf\n<\/pre>\n\n\n\nEdit the Apache config and migrate the SSL part<\/em> from your default_vhost-le-ssl.conf<\/tt> to Apache NicTool configuration file:<\/p>\n\n\n\n nictool-24.conf<\/tt>:<\/p>\n\n\n\nPerlRequire \/opt\/nictool\/client\/lib\/nictoolclient.conf\n\n# shouldn't be needed:\n#<VirtualHost _default_:80>\n# # force a https connection\n# ServerName ns1.example.com<\/span>\n# Redirect \/ https:\/\/ns1.example.com<\/span>\/\n#<\/VirtualHost>\n\nListen 443\n<VirtualHost *:443>\n ServerName ns1.example.com<\/span>\n\n# DocumentRoot \/opt\/nictool\/client\/htdocs\n# Alias \/images\/ \"\/opt\/nictool\/client\/htdocs\/images\/\"\n Alias \/nictool\/ \"\/opt\/nictool\/client\/htdocs\/\"\n RedirectMatch 301 ^\/$ https:\/\/example.com<\/span>\/\n\n DirectoryIndex index.cgi index.html\n\n SSLEngine on\n SSLCertificateFile \/etc\/letsencrypt\/live\/ns1.example.com<\/span>\/cert.pem\n SSLCertificateKeyFile \/etc\/letsencrypt\/live\/ns1.example.com<\/span>\/privkey.pem\n Include \/etc\/letsencrypt\/options-ssl-apache.conf\n SSLCertificateChainFile \/etc\/letsencrypt\/live\/ns1.example.com<\/span>\/chain.pem\n\n <Files \"*.cgi\">\n SetHandler perl-script\n PerlResponseHandler ModPerl::Registry\n PerlOptions +ParseHeaders\n Options +ExecCGI\n <\/Files>\n\n <Directory \"\/opt\/nictool\/client\/htdocs\">\n Require all granted\n <\/Directory>\n<\/VirtualHost>\n\n<IfDefine !MODPERL2> \n PerlFreshRestart On\n<\/IfDefine>\nPerlTaintCheck Off\n\nListen 8082\n\nPerlRequire \/opt\/nictool\/server\/lib\/nictoolserver.conf\n\n<VirtualHost *:8082>\n KeepAlive Off\n <Location \/>\n SetHandler perl-script\n PerlResponseHandler NicToolServer\n <\/Location>\n <Location \/soap>\n SetHandler perl-script\n PerlResponseHandler Apache::SOAP\n PerlSetVar dispatch_to \"\/opt\/nictool\/server, NicToolServer::SOAP\"\n <\/Location>\n<\/VirtualHost>\n<\/pre>\n\n\n\nSome notes about the config:<\/p>\n\n\n\n
\nThe NicTool directory is aliased to \/nictool\/ instead of the server root\n\nRedirectMatch directive is there to redirect the NicTool host\u2019s HTTP root to a real (e.g. company) website.<\/li>\n\n\n\n One should switch comments at the beginning of the lines on DocumentRoot<\/tt> configuration block to host NicTool in the HTTP root of the server.<\/li>\n<\/ul>\n<\/li>\n\n\n\nIn DirectoryIndex<\/tt> there has been added index.html<\/tt> as a fallback option so that some directories can have an HTML index page; try removing index.html<\/tt> if you encounter problems.<\/li>\n<\/ul>\n\n\n\n After configuration, apply the config into effect:<\/p>\n\n\n\n
mv nictool-24.conf z_nictool.conf\nrm default_vhost-le-ssl.conf\nsystemctl reload httpd\n<\/pre>\n\n\n\nAnd then\u2026 using a web browser go to the website and log in! -> https:\/\/ns1.example.com\/nictool<\/code><\/p>\n\n\n\nNow the NicTool client\/frontend should be working. Next NicTool needs to be populated with the name server info and the server\/backend which executes the exports needs to be configured.<\/p>\n\n\n\n
Populating NicTool with information<\/h2>\n\n\n\n Here NicTool is set up with the minimum required amount of information to ultimately complete the setup. The payload (other zones and resource records) can be added whenever it suits the user.<\/p>\n\n\n\n
Firstly, one should add a user for themselves from the NicTool web user interface (UI) and log in with it.<\/p>\n\n\n\n
When logged in at the web UI, at the Nameservers tab edit the name servers.<\/p>\n\n\n\n
\nFirst nameserver ns1:\n\nNS type bind<\/em>,<\/li>\n\n\n\ndata directory \/opt\/nictool\/ns1<\/tt>.<\/li>\n<\/ul>\n<\/li>\n\n\n\nSecond nameserver ns2:\n\nNS type NSD<\/em>,<\/li>\n\n\n\ndata dir \/opt\/nictool\/ns2<\/tt>,<\/li>\n\n\n\nremote login nssync<\/em>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\nIn the web UI\u2019s Zones tab, there should exist at least one zone with the freshly edited name servers selected as the zone\u2019s name servers (so that there is something for NicTool to export).<\/p>\n\n\n\nThen add at least A records for the name servers in the new zone.<\/p>\n\n\n\nNext, back at the shell, creating the config export directories for each name server:<\/p>\n\n\n\n
cd \/opt\/nictool\nsu -m nssync -c \"mkdir ns1 ns2\"<\/pre>\n\n\n\nMaking the exports<\/h2>\n\n\n\n One of the most powerful features of NicTool is the ability to create and push a coherent and up-to-date config for every name server set up in it. Now to configure the exports from the NicTool server side:<\/p>\n\n\n\n
cd ns1\nln -s ..\/server\/bin\/nt_export.pl\nsu -m nssync -c .\/nt_export.pl<\/pre>\n\n\n\n-> Running nt_export.pl<\/tt> should show name servers that NicTool knows of.<\/p>\n\n\n\n
Note: For me, there was something odd at this step and I didn\u2019t get the listing as described in the documentation and elsewhere. Anyway, it seems one can get the nsid<\/tt> information from the NicTool GUI too: just look at the ID number in the link URLs when configuring each name server.<\/em><\/p>\n\n\n\n Because now we\u2019re configuring ns1 which has NicTool\u2019s nsid 1<\/em> we use -nsid 1<\/tt> with the export script:<\/p>\n\n\n\nsu -m nssync -c '.\/nt_export.pl -nsid 1'<\/pre>\n\n\n\n-> This generates the run<\/tt> file which is basically a nice wrapper script for executing the export.<\/p>\n\n\n\n
Then open the run<\/tt> file in an editor and change the user name to nssync<\/tt> as below.<\/p>\n\n\n\nEXPORT_USER=nssync<\/pre>\n\n\n\nRun the run<\/tt> file to get a Makefile<\/tt>:<\/p>\n\n\n\n.\/run<\/pre>\n\n\n\n-> In the Makefile<\/tt> one can define which commands NicTool executes at different stages of the export. Edit the Makefile restart section:<\/p>\n\n\n\nrestart: \/opt\/nictool\/ns1\/named.conf.nictool\n sudo rndc reload\n test 1<\/pre>\n\n\n\nTo give an unprivileged user the authority to reload the BIND config, sudo<\/tt> is used. The privilege must be granted in the \/etc\/sudoers<\/tt> file, open it using visudo<\/tt>.<\/p>\n\n\n\nvisudo<\/pre>\n\n\n\nThen add the following line:<\/p>\n\n\n\n
nssync ALL=(ALL) NOPASSWD: \/usr\/sbin\/rndc reload<\/pre>\n\n\n\n-> The line gives nssync<\/tt> user the permission to run the BIND named reload command rndc reload<\/tt> via sudo<\/tt> and no password.<\/p>\n\n\n\n
NicTool generated BIND config file can be customized with a template:<\/p>\n\n\n\n
mkdir templates\ntouch templates\/default<\/pre>\n\n\n\nThen add the following to the default<\/tt> file. Replace the IP shown in red with the private IP address of the ns2 name server:<\/p>\n\n\n\nzone \"ZONE\" {\n type master;\n file \"\/opt\/nictool\/ns1\/ZONE\";\n notify yes;\n also-notify {\n 10.234.55.66<\/span>;\n };\n allow-transfer {\n 10.234.55.66<\/span>;\n };\n };<\/pre>\n\n\n\nActually, notify<\/tt> and transfer<\/tt> shouldn\u2019t be needed since we push all the configs to slave servers. They\u2019re here as an example, one should remove them at their discretion.<\/p>\n\n\n\n
To start and enable BIND:<\/p>\n\n\n\n
systemctl start named\nsystemctl enable named<\/pre>\n\n\n\nBecause the export is in the ns1 case done to the local filesystem, no remote login or other tricks are needed. Check the export is working like it should, i.e. config file is generated, put into a proper place, and the named server reloaded:<\/p>\n\n\n\n
.\/run<\/pre>\n\n\n\nNow the first name server should be working, then to install the second.<\/p>\n\n\n\n
Install ns2<\/h2>\n\n\n\n Up to this point all commands have been given to ns1. From now on the server is indicated before the command.<\/em><\/p>\n\n\n\nFirst, install the Extra Packages for Enterprise Linux (EPEL) on the ns2 as well:<\/p>\n\n\n\n
ns2 # yum install epel-release<\/pre>\n\n\n\nInstall NSD and rsync along with the other requisites:<\/p>\n\n\n\n
ns2 # yum install nsd rsync openssl sudo<\/pre>\n\n\n\nAlso, enable DNS port at firewalld on ns2:<\/p>\n\n\n\n
ns2 # firewall-cmd --add-service --permanent dns\nns2 # firewall-cmd --reload<\/pre>\n\n\n\nThen, prepare the ns2 for NicTool export:<\/p>\n\n\n\n
ns2 # mkdir -p \/opt\/nictool\/ns2\nns2 # useradd -d \/opt\/nictool -c \"nssync user\" -rU -s \/bin\/sh nssync\nns2 # chown -R nssync: \/opt\/nictool\/<\/pre>\n\n\n\nEdit \/etc\/nsd\/nsd.conf<\/tt>:<\/p>\n\n\n\nserver:\n # listen on IPv4\/6 connections\n do-ip4: yes\n do-ip6: yes\n\n database: \"\"\n\n logfile: \"\/var\/log\/nsd.log\"\n\n # Optional local server config\n include: \"\/etc\/nsd\/server.d\/*.conf\"\n\n# Include optional local configs.\ninclude: \"\/etc\/nsd\/conf.d\/*.conf\"\n\ninclude: \"\/opt\/nictool\/ns2\/nsd.nictool.conf\"\n\nremote-control:\n # Enable remote control with nsd-control(8) here.\n # set up the keys and certificates with nsd-control-setup.\n control-enable: yes<\/pre>\n\n\n\nThe last include:<\/tt> feeds our NicTool generated configuration to NSD. Although on CentOS 7 most of the defaults are fine, some things are explicitly defined in the configuration. You should follow the comments in the config file and read nsd.conf(5)<\/em> manual when configuring your own server.<\/p>\n\n\n\nNSD keys and certs must be generated and the daemon enabled:<\/p>\n\n\n\n
ns2 # nsd-control-setup\nns2 # systemctl enable nsd\nns2 # systemctl start nsd<\/pre>\n\n\n\nnsd-control-setup<\/tt> should create the keys and certificates into the default place so separate configuration in nsd.conf<\/tt> shouldn\u2019t be needed. You can of course explicitly define the files if you want.<\/p>\n\n\n\n
After this, whenever needed, reload NSD config with:<\/p>\n\n\n\n
ns2 # nsd-control reconfig && nsd-control reload<\/pre>\n\n\n\nSetup exports for ns2<\/h2>\n\n\n\n As earlier mentioned, the exports work like:
Setting up the export begins by doing the same magic as with ns1 export, but this time with -nsid 2<\/tt>:<\/p>\n\n\n\nns1 # cd \/opt\/nictool\/ns2\nns1 # ln -s ..\/server\/bin\/nt_export.pl\nns1 # su -m nssync -c '.\/nt_export.pl -nsid 2'<\/pre>\n\n\n\nSet the export user in run<\/tt>:<\/p>\n\n\n\nEXPORT_USER=nssync<\/pre>\n\n\n\nRun the export \u2013 it will fail because login hasn\u2019t been setup yet but it will generate the Makefile<\/tt>.<\/p>\n\n\n\n
Tunc Makefile<\/tt> to suit ns2:<\/p>\n\n\n\n# NSD v4\ncompile: \/opt\/nictool\/ns2\/nsd.nictool.conf\n test 1\n\nremote: \/opt\/nictool\/ns2\n rsync -az --delete \/opt\/nictool\/ns2\/*.* nssync@10.234.55.66<\/span>:\/opt\/nictool\/ns2\/\n\nrestart: \/opt\/nictool\/ns2\n ssh nssync@10.234.55.66<\/span> \"sudo nsd-control reconfig && sudo nsd-control reload\"<\/pre>\n\n\n\nThe IP address in the above config example refers to ns2.<\/p>\n\n\n\n
Giving nssync the ability to control NSD with sudo<\/h3>\n\n\n\n Edit \/etc\/sudoers<\/tt> using visudo<\/tt> (export EDITOR<\/tt> if needed\u2026) and add the following config line:<\/p>\n\n\n\nns2 # visudo<\/pre>\n\n\n\nnssync ALL=(ALL) NOPASSWD: \/usr\/sbin\/nsd-control<\/pre>\n\n\n\nThe above line grants nssync<\/tt> user the ability to use nsd-control<\/tt> without password.<\/p>\n\n\n\nSSH public key authentication<\/h3>\n\n\n\n
Generate the keys which NicTool uses in export. Leave the key passphrase empty:<\/p>\n\n\n\n
ns1 # su -m nssync -c 'ssh-keygen -t rsa'<\/pre>\n\n\n\nOn ns2 make the nssync<\/tt> user able to login via SSH public key:<\/p>\n\n\n\nns2 # mkdir \/opt\/nictool\/.ssh<\/pre>\n\n\n\nInsert ns1\u2019s public key (from \/opt\/nictool\/.ssh\/id_rsa.pub<\/tt>) into ns2\u2019s \/opt\/nictool\/.ssh\/authorized_keys<\/tt> file. Replace the IP with the private IP and the domain with the server name of your first name server:<\/p>\n\n\n\nfrom=\"10.234.44.55<\/span>\" ssh-rsa AAAAB3NzaC1fae[...] nssync@ns1.example.com<\/span><\/pre>\n\n\n\nIn which the from=<\/tt> is the private IP of the master nameserver from where the key is accepted only.<\/p>\n\n\n\n
SSH won\u2019t accept authorized_keys<\/tt> without proper permissions:<\/p>\n\n\n\nns2 # chown -R nssync: ~nssync\/.ssh\nns2 # chmod 700 ~nssync\/.ssh && chmod 600 ~nssync\/.ssh\/authorized_keys<\/pre>\n\n\n\nThe export might initially fail because the underlying ssh<\/tt> is confused about some things. I encountered two types of problems:<\/p>\n\n\n\n\nSSH does not know about the private key to use in the authentication process, and<\/li>\n\n\n\n SSH fails to check the remote host key.<\/li>\n<\/ol>\n\n\n\nIn the first case the use of private key has to be stated by giving rsync the option -e 'ssh -i ~nssync\/.ssh\/id_rsa'<\/tt>, as seen in the snippet from ns1\u2019s \/opt\/nictool\/ns2\/Makefile<\/tt>:<\/p>\n\n\n\nremote: \/opt\/nictool\/ns2\n rsync -az --delete -e 'ssh -i ~nssync\/.ssh\/id_rsa' \n \/opt\/nictool\/ns2\/*.* nssync@10.234.55.66<\/span>:\/opt\/nictool\/ns2\/<\/pre>\n\n\n\nIn the second case, SSH wants to do the remote host key checking but the key doesn\u2019t yet exist in ~nssync\/.ssh\/known_hosts<\/tt>. This can be solved by ensuring the ns2\u2019s SSH host key is in the known_hosts<\/tt> file, something like this:<\/p>\n\n\n\nns1 # su -m nssync -c 'ssh-keyscan -H 10.234.55.66<\/span> >> ~nssync\/.ssh\/known_hosts'<\/pre>\n\n\n\nSSH may also be forced not<\/em> to do the strict key checking by adopting this option in the rsync<\/tt> command: -e 'ssh -o StrictHostKeyChecking=no'<\/tt>. However, I wouldn\u2019t recommend using it in a real-world environment.<\/p>\n\n\n\nDoing the exports automatically using cron<\/h2>\n\n\n\n One of the last steps is to make the exports run automatically. As the export to a specific server is done by executing the corresponding run<\/tt> script, we can run each export periodically from cron.<\/p>\n\n\n\n
Edit nssync<\/tt> user\u2019s crontab on ns1:<\/p>\n\n\n\nns1 # crontab -eu nssync<\/pre>\n\n\n\nThe following lines run the run<\/tt> scripts at the interval of 15 minutes. One line should exist for each synced nameserver. In other words, the changes made using the NicTool GUI are exported to nameservers every run<\/tt>. One should adjust the interval to their needs.<\/p>\n\n\n\n*\/15 * * * * \/opt\/nictool\/ns1\/run\n*\/15 * * * * \/opt\/nictool\/ns2\/run<\/pre>\n\n\n\nAt this point each run<\/tt> file in \/opt\/nictool\/ns?\/<\/tt> has to be checked that the command suited for periodical execution is uncommented and the command for interactive use is commented out.<\/p>\n\n\n\n######################################################\n# For use with periodic triggers like cron and at\n######################################################\nexec \/usr\/bin\/perl .\/nt_export.pl -nsid 1 -pfextra | logger -t nt_export\n...\n######################################################\n# For interactive human use.\n######################################################\n# Note that the -force option is included, as you likely want to export\n# regardless of DB changes since the last successful export.\n#exec su -m $EXPORT_USER -c \" .\/nt_export.pl -nsid 1 -force -pfextra \"<\/pre>\n\n\n\nDelegate authority to your nameservers<\/h2>\n\n\n\n With the new name servers up and working, you migth want to delegate authority to them. The ns1 has already been configured as authoritative but your domain still needs to know where to find the server name records.<\/p>\n\n\n\n
This process will depend on your domain name registrar but should be quite simple. Go to your domain name registrar and log in to their control panel or dashboard. In your domain\u2019s management, find the option that allows you to specify custom name servers.<\/p>\n\n\n\nEnter the public IP addresses of the ns1<\/tt> and ns2<\/tt> in the available fields and save. Telling your domain name registrar to delegate authority over your domain to your new NS allows the setup to take control of the domain. Instead of the regular A records, the registrar will create a glue record to the specific IP addresses which tells other name servers on the internet who to ask about your records under domain.<\/p>\n\n\n\n
Once done, the domain name registrar will begin to advertise the new name servers as authoritative over your domain. The changes might take some time to propagate, usually between 24-48 hour.<\/p>\n\n\n\n
The final discussion<\/h2>\n\n\n\n NicTool should be now able to export the respective configs to ns1 and ns2 automatically and reload the servers.<\/p>\n\n\n\n
Making changes to DNS records from the GUI and running corresponding run<\/tt> scripts on ns1 should now be fully functioning and export each configuration without any further user intervention.<\/p>\n\n\n\n
By adapting these instructions more name servers can be added to the system.<\/p>\n","protected":false},"author":18,"featured_media":27433,"comment_status":"open","ping_status":"closed","template":"","community-category":[223,259],"class_list":["post-2245","tutorial","type-tutorial","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/tutorial"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=2245"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2245\/revisions"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=2245"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/community-category?post=2245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"NicTool](\"https:\/\/upcloud.com\/media\/nictool-add-new-zone.png\")
<\/figure>\n\n\n\n![\"NicTool](\"https:\/\/upcloud.com\/media\/nictool-nameserver-a-records.png\")
<\/figure>\n\n\n\n![\"Domain](\"https:\/\/upcloud.com\/media\/domain-name-authority.png\")
<\/figure>\n\n\n\n