> This recent thread, in which people are describing their scripts and > GUI provisioning systems makes me think we should recruit a few of > you who think you have a sweet provisioning system
at least i add the library i developed to maintain zone-files which needs translation of the comments, to be cleaned from some hacks depending on our domain and a replaced database layer which i can't publish watch for '$this->db' and $GLOBALS['cl_api']->log() using a global log-api from the CMS-system wrapped around it feel free to use the code for whatever you want, adopt it, laugh about it, delete it :-) sorry no way to make the GUI parts public they are hard wired with internal CMS software and libs ____________________________________________________________________________ i fear the "it seems that no one with an adequate understanding of BIND has written and released a good management frontend" comes because they which did wrapped it around existing infrastructure and can't make it public nor is it written in a generic way then there comes the security point of view - keep the code tiny and only support what you really need avoids a lot of complexity leading in questionable security decisions but makes it also less useable for other environments at least i post the table-structure below and maybe give some ideas helping others, 6 years production and survive a global IP change on the network showed the ideas working great surely, if you have thounds of really large zones it may not scale that perfect, not the case here, up to 1000 zones a no-brainer my development as example started because there is no software out there which supports the grade of automatism i wanted while they make no sense in a different environment and it was developed after FTP/Apache/Asterisk backends all using a inhouse framework startet 2003 and extended with dns functionality 2008 one of the primary design decisions was to also generate PTR-records and feed pseudo-static DHCP ranges by add the MAC to a name/ip-pair and generate the dhcpd.conf with that which gone that far to discover the network with arp commands and add the MAC to the existing A-records made by hand, new machine: change that MAC field and there things start to get "hackish", "thelounge.net" itself has the complete structure seperated and needs to be maintained twice and only the internal cronjobs care about MAC/DHCP on the other hand the basic tool to generate complete zone files out of a single table and write them in the "zone-table" was AFIR written in one night (followed by fine-tuning and extended with special record-types like TXT/SPF and zone delegation on-demand) later automatic generation of SPF records where added if there is a MX pointing to a machine inside our own domain or create or "v=spf1 -all" if there is no MX, special handling of subdomains with MX records if they point inside our domain and skip them if point outside.... the next thing which is "hackish" -> maintain email-autodiscovery with means DNS records as well as a apache-vhost, if you want to have all that features most working fully automated and just send cron-mails in the style of "i did this and that, below the diff of the config" you need to design much more carefully and invest a lot of more work by carry repsonsiblity in case of changes after you publish it and 3rd parties started to rely on not break their setup *that* responsibility makes it so hard to publish backends because you lose the freedom of "we re-design our infrastructure for whatever reason and add as much hacks as needed temporary in the code for automatic transitions and cleanup later frankly you can test that stuff by make a DB dump, stop the cronjobs while play around with "live-data", re-play whatever you plan and finally -> restore the sql-dump, fire the changes again and start cronjobs ____________________________________________________________________________ "named.conf" is a mix of "template" for most configurations and contains a [panel_records] line which finally is replaced by all the zones to load and if they are slave/master that template exists 4 times LAN master LAN slave WAN master WAN slave the configuration of the cronjob also needs to exist 4 times since it must define master/slave and in case of slave who is the master that's perfect as it is, but makes it less generic for other environments, here the appeal is you can practically write any option you need in the configuration without refelect it in the admin-backend, the webinterface is only used for create a new zone with the most used default records and magage records ____________________________________________________________________________ 'dns_meta': the 'changes'-fields are first fetched by the cronjobs and if the are 0 nothing else is done, 'gui_lock' is set to 1 by start apply changes so if two people work at the same time in a backend (two admins here) no collisions ____________________________________________________________________________ 'dns_zones' is the only relevant data for the cronjobs on the nameservers and contains for the two LAN servers the complete zone-files in 'zone_content_lan' and for the external 'zone_content' the goal here was keep the cronjobs as dumb as possible they don't need access to the records-table and even not the library with the DNS details, they only need to know if and which zone-content to fetch, write out to the zone file, keep the zone-list in "named.conf" recent and reload named in case of changes these zone records are created with the data in 'dns_entries' combined with global defaults applying to all zones, that way you can prepare ip-changes by lower the TTL in a config file and force re-creation of all zones and later raise the TTL basicly 'zone_content' is generated and a static replacement array from the config translates WAN IP's to internal ones since the cisco router don't like access with public IP's from inside or if DNS ALG is active it mangeles DNS traffic ____________________________________________________________________________ 'dns_entrys': well, thats the data you work with in the webinterface and each change re-creates the zone in the database, at that time not touching BIND at all ____________________________________________________________________________ CREATE TABLE `dns_meta` ( `prikey` smallint(4) unsigned NOT NULL AUTO_INCREMENT, `changes_master` tinyint(1) unsigned NOT NULL DEFAULT '0', `changes_slave` tinyint(1) unsigned NOT NULL DEFAULT '0', `gui_lock` tinyint(1) unsigned NOT NULL DEFAULT '0', PRIMARY KEY (`prikey`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci ROW_FORMAT=COMPRESSED; CREATE TABLE `dns_zones` ( `zone_id` mediumint(6) unsigned NOT NULL AUTO_INCREMENT, `zone_name` varchar(255) COLLATE latin1_german1_ci NOT NULL, `zone_content` text COLLATE latin1_german1_ci NOT NULL, `zone_content_lan` text COLLATE latin1_german1_ci NOT NULL, `zone_new_master` tinyint(1) unsigned NOT NULL DEFAULT '0', `zone_new_slave` tinyint(1) unsigned NOT NULL DEFAULT '0', `zone_serial` varchar(100) COLLATE latin1_german1_ci NOT NULL, `zone_spf_strict` tinyint(1) unsigned NOT NULL, `zone_client_id` smallint(4) unsigned NOT NULL, `zone_ttl` mediumint(6) unsigned NOT NULL, PRIMARY KEY (`zone_id`), UNIQUE KEY `zone_name` (`zone_name`), KEY `cron_idx` (`zone_new_master`,`zone_new_slave`), KEY `zone_client_id` (`zone_client_id`), KEY `zone_serial` (`zone_serial`), KEY `zone_id` (`zone_id`,`zone_serial`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci ROW_FORMAT=COMPRESSED; CREATE TABLE `dns_entrys` ( `entry_id` mediumint(6) unsigned NOT NULL AUTO_INCREMENT, `entry_zone_id` mediumint(6) unsigned NOT NULL DEFAULT '0', `entry_zone_cleartext` varchar(255) COLLATE latin1_german1_ci NOT NULL, `entry_type` varchar(255) COLLATE latin1_german1_ci NOT NULL, `entry_name` varchar(255) COLLATE latin1_german1_ci NOT NULL, `entry_value` varchar(255) COLLATE latin1_german1_ci NOT NULL, `entry_comment` varchar(255) COLLATE latin1_german1_ci NOT NULL, `entry_mac` varchar(18) COLLATE latin1_german1_ci NOT NULL, PRIMARY KEY (`entry_id`), KEY `entry_zone_id` (`entry_zone_id`), KEY `zone_type_idx` (`entry_zone_cleartext`,`entry_type`), KEY `entry_type` (`entry_type`,`entry_value`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci ROW_FORMAT=COMPRESSED; Am 01.08.2014 um 18:34 schrieb Victoria Risk: > This recent thread, in which people are describing their scripts and GUI > provisioning systems makes me think we should recruit a few of you who think > you have a sweet provisioning system, to do a WebEX and describe it for > everyone else who is looking for a better system. > > At the RIPE meeting in Poland I saw a GUI front end for updating resource > records that a French university network team had created and a very > impressive system using Ansible to rapidly transform a NSD auth server into a > BIND auth server and back again (including translating zone files). There are > a number of tools and cookbooks out there, if the tool you use is not one you > developed, but it is public domain, open source or otherwise freely available > and you think it is really helpful, it would be useful for others to hear > about that too. > > If you have a reasonably full-featured, effective, free provisioning system > that could be shared and successfully used in another environment, and you > are willing to do a presentation on it (perhaps share an hour slot with one > other person), please email me unicast. If we get any volunteers, we’ll > schedule something and advertise it back here on bind-users. > > Vicky > Product Manager, isc.org > > On Aug 1, 2014, at 9:09 AM, Tony Finch <d...@dotat.at> wrote: > >> Mike Hoskins (michoski) <micho...@cisco.com> wrote: >>> Tony Finch <d...@dotat.at> wrote: >>>> >>>> In our setup, changes made in the database are turned into an nsupdate >>>> script, so we don't need to bounce the name server and we can use >>>> BIND's automatic signing. >>> >>> no argument on nsupdate, but even if you copy files around...you don't >>> need to bounce the nameserver, unless rndc reload is what you mean (when i >>> hear bounce i think stop/start). >> >> Sorry, I was being imprecise. When I said "bounce" I meant any kind of >> config change action that makes named do more work than is necessary to >> change the contents of the zone
library.tar.bz2
Description: application/bzip
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
