# BIND Master vs. Slave question

## MoonWalker

I have 2 boxes located on different places and with ip's on different subnets 212... and 195... I have a main domain with a Master zone running as a NS on 212 acting as NS for main domain as well as others hosted on the box. Now I want the 195 also act as NS belonging to same domain as Master on 212 as the idea is I gradually move hosted domains from 212 to 195 and eventually I will take down 212 (I can't move all domains at once for different reasons). My question is: Do I have to set up the 195 main domain NS as a slave or can I set it up as a mater as well with identical zone file (it sounds as a collision to me though)? An alternative approach could be to set up the new (195) as Master direct and change 212 to a slave?

I would appreciate some comment on this as I'm not that experienced with Bind or DNS appart from daily maintainance and I hope the above sceenario was expressed clear enough.

----------

## kashani

I did something like this recently and you have a ton of options to play with.

Master and slave means nothing to the clients making requests. All they care about is getting an answer. The master slave is for passing zones properly between servers where changes get propagated from the master. I'd try to avoid having you name servers give out different answers, by making changs to both or whatever. I'd suggest you do the follwoing:

1. scp all zone files over to 195.

2. Configure 195 to be master for all the zones

3. Test 195 to make sure things are working well.

4. backup the config for 212

5. Change the config on 212 to be slave now. 

6. Make any new DNS changes on 195

I'd suggest setting up a secondary nameserver when all this is finished. Having DNS on one server is considered a "bad thing" by the industry.  :Smile: 

kashani

----------

## MoonWalker

First thanks for reply.

 *Quote:*   

> 1. scp all zone files over to 195. 
> 
> 2. Configure 195 to be master for all the zones 
> 
> 

 I can't really do step 2 as all hosted domains are not mine and fully controlled by me, they would need a change of dns pointer (I suppose) in their registrars db and it wont happen all at the same time. This is part of the problem. I have to move domains gradually to the new dns server and some will probably move elsewere later when I take server down. Also it have to be done right first time with .nu domains which I host some. There is a $10 charge on change of dns records by nunames  :Sad: 

 *Quote:*   

> 3. Test 195 to make sure things are working well. 
> 
> 4. backup the config for 212 
> 
> 5. Change the config on 212 to be slave now. 

 

Is this the same as it will become "secondary" for the domain? Also, if I have understand it right I don't have to bother with the zone file on the secondary as it will be pulled off from the Master. But what about the named.conf and other Masters listed there? They won't really bother about the slave listed and also used as Primary by them?

 *Quote:*   

> 
> 
> 6. Make any new DNS changes on 195 
> 
> I'd suggest setting up a secondary nameserver when all this is finished. Having DNS on one server is considered a "bad thing" by the industry.  
> ...

 3 to 6 I see how to do ok, but when it come to setting up secondarys, I know about the "bad thing" and now I use just a aliased host on same box to act as a second dns... I am thinking on setting this up on one free servevice though, saw an other post with some named services I will try. One question here just. When adding a secondary from an other location on the net, is it setup as a slave then? If I have understood things right it's the way to do it or?

----------

## joycea

 *Quote:*   

> I can't really do step 2 as all hosted domains are not mine and fully controlled by me, they would need a change of dns pointer (I suppose) in their registrars db and it wont happen all at the same time. This is part of the problem.

 

The DNS record with the registrar has nothing to do with how you designate master and slave.  If you take kashani's advice what will happen is that both nameservers will answer authoratatively, although as far as you are concerned the 195 computer will be the one you make changes on and the changes will propagate to the 212 machine.

 *Quote:*   

> When adding a secondary from an other location on the net, is it setup as a slave then?

 

Yes, that's correct.  The idea of master and slave is just to setup a chain of data propagation so that you only have to update one record to make changes to all the different servers responses.

----------

## MoonWalker

Ok that cleared most, just feel puzzled about the named.conf file still... Now all zone entries on the 212 box are set as master, will I move all those to the 195 box and change them to slave on 212 or is this related to on which box the domains host their files? I don't mean zone files now but files related to their webpages as they all are virtual web domains.

----------

## joycea

 *Quote:*   

> Now all zone entries on the 212 box are set as master, will I move all those to the 195 box and change them to slave on 212...

 

Yes, you will want to move the records to the 195 box and set them to slave on the 212 box.

 *Quote:*   

> ...or is this related to on which box the domains host their files?

 

No, this will not relate to which box hosts the actual files, just ensure the DNS record for that domain points to the correct box.

----------

## MoonWalker

Ok that cleared things futher... However realize I'm still abit confused with this slave/secondary thing and what actually is needed in named.conf

I know what to set for master (I think) and for slave I guess I also need a 'masters' directive in the zone part for domain. But how about this with forwarders? I'm getting abit confused here from the docs I have (ARMS9, Book of webmin and O'Reilly's DNS and Bind (3rd ed.). Is this something I have to set as well and on which box? What I'm refering to here is the zone transfers to take place properly. I guess I can use a dnskey for security instead of ips in the masters directive or do I need both? a small example would be nice btw

Great if you could help me with this one as well and I'm sure it will come to use for others searching on this topic.

----------

## fatcat.00

As others have already noted, whether each box is a master or slave is really up to you.  It affects nothing with regard to name resolution itself.

That said, let me first clarify an important difference between a master and a slave:

A master is where you want to make all your changes to your zones.  The box that you want to use for making all your edits *should* be the master.  In your case, I would do as you suggested:  make the new box the master and the old box the slave.

A slave is a box that copies zone data from another dns box.  The box that a slave copies from can be either a master or a slave.

If it was me, here's what I would do:

1) Copy all the zone DB files and named.conf from 211 to 195

2) Backup the named.conf on 211 and create a new named.conf that contains the directives for the secondary zones.  Here is a sample:

```
zone "somedomain.com" {

        type slave;

        file "sec.somedomain.com";

        masters {

                10.0.1.254;

        };

};
```

Of course, substitute the domain name and the IP address for the bind server you are transferring the zone from.

You may also want to change the TTL in the zone DB files to something small, like 10 minutes.  To do that, make the *first* line in the zone DB file like this:

```
$TTL 600
```

Once you have successfully got the new master working, go ahead and change the old master to be secondary and you are finished.

Good Luck!

-- Fatcat

----------

## MoonWalker

Ok sounds strait forwad and good, just one thing. In all zone.db files I currently have a SOA line looking something like this:

```

thisdomain.com.  IN      SOA     212.nsdomain.net. hostmaster.thisdomain.com. (
```

isn't it a good idea to also change this in all master zonedb files to:

```

thisdomain.com.  IN      SOA     195.nsdomain.net. hostmaster.thisdomain.com. (
```

 ?

Where 212 & 195 refer to the host name for those boxes. This is I have all together 4 ip's (of which 3 are ip aliases eth0:0, eth0:1 etc.) but about 20 domains hosted, so most of them don't have any PTR records as an example and only exsist "virtually" in the dns zonefiles and apache virtualhosts. I don't know if this really matters or is the correct way to do it, but it was how the box was set up some years ago and I havn't had any reason to change it as it worked fine.

----------

## kashani

Thanks joycea and fatcat for explaining some of the points I glossed over.

Moonwalker, here's an example of what I did at a company that was consolidating networks, ip's and domains. This may help you understand your own system a bit better.

1. We setup a master server on private ip space, 10.10.10.100 on our public network.

2. We then copied all zone files to this server and configured it to be master for all zones.

3. They're were 15-20 different name servers each with a different config, ie listed as the auth named server for different domains etc.

4. We built 3 new name servers thatwere going to be our new auth named servers for everything. We slaved these name servers off our internal IP'ed master server.

5. We also slaved all 20 of the other name servers off our internal name server.

With this system we could make changes in one place to any zone which was happening quite a bit as we were consolidating IP space at the time too. The zones would propagate to the current authorative servers and our new servers. As we moved domains to the new auth server we never had to worry about whether or not they had the right data because the entire network was slaved off a single server. This is what the master/slave really accomplishes, unidiectional data updates. It has no bearing on whether the data is more correct or not. You could run every single name server as master, it just means that now you have to update all your servers seperately.

Once we finished the migration we left the master name server on internal IP space and kept the public IP'ed authorative name servers slaved to it.

Hopefully this helps you a bit more.

kashani

----------

## MoonWalker

Yes it was a good discription and I have grasped all this, I guess I couldn't see the forrest for all trees before but now that's clear and I think I'm pretty set to carry out my task... and thanks to all of you spending time on 'supporting' me!

Just a note about above. It was a great structure I will remember for possible future use, but at the moment I have to do all this on one box or two, which is what I have and it will soon be only one again. The reason I do this is I moved my physical location, not only to a new home but also to a new country and I don't have a leased line of my own but a co-located box in a server room. Putting an other box there would double my costs on a monthly base and I just run this for my own things and host some friends domains for free.

----------

## MoonWalker

Ok, first step in operation done, new box up running as master and new slaves on old box did their transfers and updated db files, acordingly all seam to have gone well. A big thanks guys![/code]

----------

## sharp

MoonWalker: I don't know what your system setup/requirements/limitations/etc are, so a suggestion from my experience with dns services. Consider DJBDNS, it is supurb software.

http://cr.yp.to/djbdns.html

If the only experience you've had with dns servers is bind (which I started out with) djbdns is worth the consideration. It consists of three small binaries which provide dns, cache, and transfer services; tinydn, dnscache, axfrdns. Each one preforms a specifc aspect of dns, tinydns servers dns requests, dnscache is a caching name server, and axfrdns is used to syn dns updates. It's easy to setup multiple dns servers on seperate IP's on the same box and run all three services.

For one company which I consulted for, I setup tinydns on the external interface of the firewall to resolve public addresses, dnscache on the internal lan interface which served all dns requests and wrote a small perl script that synced up dns with the dhcp leases (which I know bind already has this functionality).

Things to consider, bind has had many security issues where djbdns has NONE. The author has a security guarantee where he'll pay out something like $500 if you can find a security issue with the software...

As for performance, it is amazing, it's BLAZIN' FAST. Read the link from above for specific statistics...

Also the dns 'zone' files (in reference to what bind calls them) are much simpler and flexible. To create both a forward and a reverse records use:

=www.example.com:10.0.0.1

So to end the rambling, it might be something you would consider as I have been using his software on 4 production servers and have never had a problem with any of them going down or requiring my attention (short of a shotty dsl connection...)

Cheers,

-js

----------

## MoonWalker

Thanks for the suggestion, I know about DJBDNS but I'm happy with Bind and have it all setup now.

----------

