understanding DNS Master, Slave, and my current setup

22 posts / 0 new
Last post
#1 Fri, 07/12/2013 - 00:04

understanding DNS Master, Slave, and my current setup

I have server 1, lets say,

and also server 2,

i have a domain name, let say mywebsite.com.

now, lets say i would like to have both servers use subdomains from mywebsite.com

i have setup and got working bind9 and i am using the server as a name server, but would like to have it so that the secondary server can update, and add a simple CNAME value to the master zone..

the reason i want to add a CNAME record to the master zone which currently exists, is because server 2 ( has a dynamic IP. we have already set it up using dynamic DNS, and we have server2.mywebsite.com pointing to it.

this way, the secondary server simply needs to add one cname value to the master zone on the primary server.

i have been playing with DNS clusters and slaves, master and slave zones, and i am just having alot of confustion as to how to get this working. any help would be greatly appreciated! this is the last bit thing which need to be setup on our shared hosting platform :( and i do not want to have my employees log in to the primary and add the CNAME by hand.

Fri, 07/12/2013 - 08:04

Secondary BINDs, i.e. if a zone is hosted in slave mode there, can never add records or otherwise modify the zone. That's by definition of a slave: It pulls the zone as-is from the master and serves it.

So if you need your server 2 to dynamically update the zone, because only server 2 knows the IP, you can use a tool like "rndc" to send a remote-zone-update command to the primary server. This is not done by BIND on server 2 then, but independently by the rndc tool, which uses the official "dynamic DNS" protocol. To use rndc, you need to set up the zone as "dynamic" by adding a proper "update" access key on the primary.

Fri, 07/12/2013 - 09:26

hmm okay so your saying i should disable, on server 2 (, bind9, and the slave dns node plugin, then maybe go to the server template section, and delete from the template any BIND9 configuration on server 2

then on server 1 ( setup the master zone as Dynamic somehow,

and use this Command "rndc" to add a CNAME record to the master zone on server 1, from the secondary machine?

is there somewhere i can make it so that this is done automatically upon virtual host creation? perhaps a way to make it part of the template?

will the rndc manual page provide sufficient information for this, or can you recommend or point me in the right direction?

thank you very much by the way, i very much anticipate your response.

(at this point, i would almost be willing to paypal somebody 10 bucks for a quick explanation that leads me to successfully setting this up (deadline is coming up fast) haha)

Fri, 07/12/2013 - 09:36

just incase there is any confustion; the dynamic dns has already been setup. all we need to do is point users subdomains (user.mywebsite.com) to the secondary server, which already has a CNAME record in the master zone (server2.mywebsite.com).

the idea is that server 2, just needs to add a record to server 1, CNAME to CNAME:

user1.mywebsite.com -> CNAME -> server2.mywebsite.com

anyways, my understanding is that i need to remove all slave dns functionality and setup the secondary server to use "rndc" within its Server Template to somehow call the command, and add the proper record to the primary server.

and for this to work, the master zone needs to be setup as Dynamic some how or another.

am i getting this process right? thanks! the reason why i repeated myself was somebody informed me i might not have been clear enough :)

Fri, 07/12/2013 - 12:38

You still might want to use your server 2 as slave nameserver, because usually it's required by the NIC (network information center, domain registry) to have at least two nameservers for a domain.

Setting up a zone as being dynamic simply requires adding an "update key" for it. You can do that in Webmin's BIND module, in the "Edit Zone Options" for the zone in question, after creating the key in "DNS Keys" of the main BIND screen. (DNS keys are referred to by the "Key ID".

To generate a proper HMAC-MD5 key, see here: http://wiki.debian.org/DDNS#Generate_a_key_for_verification

You can execute rdns on your server 2 automatically upon creation of virtual servers by making an appropriate script and calling it in "Virtualmin Configuration / Actions upon server and user creation".

Sat, 07/13/2013 - 00:45

okay, so i took you advice and got everything setup to have the secondary node run as a slave name server

the secondary machine may not have a static IP, but it is running on a dell poweredge and has a Uninterruptable Power Supply, so until my ISP can hook me up with a static IP, it will have to do.

currently, the secondary server mirrors the primary servers DNS successfully, and is setup as the Slave. however, I am still having a problem, which i assume has something to so with this key signing procedure.

the problem Now is that, I assume, it is not dynamic. i assume it has something to do with generating a key, and that is has something to do with the old procedure we were talking about here ( with RNDC?)

where I'm at is everything is working, but when i make a new subdomain/subserver on the slave and when it tries to transfer to the primary server, I am getting this error:


named[14457]: zone subsite.mywebsite.com/IN: refresh: unexpected rcode (NXDOMAIN) from master (source <- (this ip was actually if that matters at all.)


named[485]: client bad zone transfer request: 'subsite.mywebiste.com/IN': non-authoritative zone (NOTAUTH)

the reason i ask is because i am not sure if this command i need to execute still applys when using this setup, and also, because i used the RNCD link for setting it up and it added an entry to dns keys. i than copied this to the other machine. if this was i needed to do... it was already done...

edit: i have also made sure to add the IP address of server 2 to the allow list from what i can see... pretty much put it everywhere i could find in the bind9 module, where the secondary machine would have been concerned... however, i can provide config files if needed...

thank you very much ahead of time!

Sat, 07/13/2013 - 04:59

You wouldn't have the secondary try to transfer a zone to the primary. If I understood you correctly, all you need to do for new domains on the secondary is add a CNAME to your "mywebsite.com"?

If so, you wouldn't activate the DNS feature for your new domain, but use the "execute script upon creation of new domains" I explained earlier, to run rndc and have it add that CNAME to the primary zone.

The update key doesn't need to be "signed". You just use the dnssec-keygen tool to create an HMAC-MD5 compatible key to be inserted into the zone on your master. Then you just need to set up rndc's config file on the secondary properly to use that key when issuing commands to the master.

Detailed information on how rndc and its config file works you find on its man page: http://linux.die.net/man/8/rndc

Sat, 07/13/2013 - 07:29

aaarrgghhjh i spoke to soon

it seems that im still getting a NOTAUTH problem when trying to make any sort of record as a subdomain from my original,

and i assume it must be because i have something setup wrong with the rdnc key

anyways, i removed my previous message, it was far too long, here is the shortned version:

before i was using CNAME because we were using a DDNS server, however, i have set up this systems secondary name server using an IP and am tyring to get static IP, therefore, would like a regular master/slave setup, but everytime i try to create a zone whether its a master, slave, or subdomain or mywebiste.com


i am going to go over all my configuration files and see if the whole key signing thing is setup incorrectly. and i will try to use the information you have provided above to do a regular dns master/slave setup without that whole CNAME thing...

correct me if im wrong, but is this what i even SHOULD be going for, or was i right the first time with the CNAME setup?

and does this whole NOTAUTH thing usually mean i just have something incorrectly configured?

maybe i should purge and try again

Sat, 07/13/2013 - 07:41

Sorry, I can't really follow anymore right now. Where do you get noauth? Did you get rdnc to work? Did you try running it manually in a shell first? You can't have a slave make changes to a zone, as I said.

Can you reiterate in a concise way what your desired setup is now?

Sat, 07/13/2013 - 08:00

i think i figured out the problem

when i try to telnet port 953 its telling me connection refused

looks like for some reason it is not running on the machine :S

but its certainly setup, it looks like the firewall is Not running, and i am testing locally so it woulden't matter if my ISP blocked it or not (i cannot even telnet from inside the lan :( )

gonna reboot my machine and fire up bind9, double check my configs..

im just so lost lol

Sat, 07/13/2013 - 08:05

You can use "netstat -pln" to verify that bind is listening on that port on the Ethernet interface.

Sat, 07/13/2013 - 08:11

okay here we are:

server 1 -> master

server 2 -> slave

server 1 has the domain mywebsite.org

i want both to be able to add subdomains, and their own domains if needed. everything works fine on the primary server, and things are replicating to the secondary server.

i could give you access or something. i would pay pal you a tip or something afterwards

either that or just point me in the right direction, i can fetch any information you need from the systems

sorry for the confustion

Sat, 07/13/2013 - 08:45

yah it shows that it is running on, so i tried to change that to my WAN IP, but than nothing showed in the list ...

just incase there is a spare process using the port ill reboot the server and try again

i double checked that my ISP does not block the port

Sat, 07/13/2013 - 09:38

Changing it to and restarting bind should suffice. Check syslog then for possible errors.

Sat, 07/13/2013 - 10:40

changing to fixed that

now when i try a zone transfer from the slave of a new created domain, i get this:

<<>> DiG 9.8.1-P1 <<>> IN AXFR subdomain.mysite.tld @ ;; global options: +cmd ; Transfer failed.

Syslog reports this from the primary server: NOTAUTH, bad zone transfer request: 'subdomain.mysite.tld/IN': non-authoritative zone (NOTAUTH)

thinking it may have been permissions (they are currently set to root/bind 755) i changed them to bind/bind but got a different error: TSIG

with these typical errors, where should i go from here?

thank you for your help. i appreciate it. if you are busy and cannot reply for a while, i understand

edit: i am attempting to make a new slave zone on the secondary server, which in turn should be replicated back to the master upon creation

unsure about how i would go about using rndc from the command line. i checked the manpage, and after trying a few commands i continue to get this:

WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Sat, 07/13/2013 - 10:42

Okay, actually I had a rather similar setup on my servers, regarding zones and master/slave, a while back.

There can be only one master server for a zone, and thus for all its sub-zones. Well, actually a sub-zone CAN be a separate zonefile, and be served by a different master, but the master for the zone is queried first, and needs information about the sub-zone (either in form of A / AAAA records, or a nameserver delegation in form of NS records) as well.

So what you could do is: Define your two servers mutually as DNS Slave Servers for each other. Have your parent zone served by server 1 (and slave-replicated to server 2). Create your sub-domains and thus sub-zones on server 2, and have them replicated to server 1.

Therefore server 1 has information about "mywebsite.com" through its master zone and "subdomain.mywebsite.com" through the slave zone. It does not matter to BIND if records for "subdomain.mywebsite.com" are in a separate zonefile, or in the file for "mywebsite.com".

This setting should work, I used it for a while before I switched to a separate slave nameserver for all my Virtualmin hosts. Of course, in this case, you don't need the construct with rdnc, that's only for your previous dynamic IP scenario.

If you can't get it to work now, I guess my suggestion would be - if possible - to re-do your Virtualmin hosts and start from scratch. :) I could imagine that you fiddled with the stuff quite a bit meanwhile.

Sat, 07/13/2013 - 10:43

Yeah, if you'd like to give me your root logins for your two servers, I can take a look at them myself. Please post contact data for an instant messenger of your choice in that case.

Sat, 07/13/2013 - 10:46

i actually tried this earlier but i might have had something misconfigured while doing so.

i wasnt sure if configuring them both as slaves/masters for each other was proper, and everything seemed to work, but i could not get anything to replicated from the slave to the master no matter what i did

however, now that you are understanding just where I am at

i have unloaded everything and have it setup as a simple master -> slave. I will attempt the configuration outlined above, and post back with any messages from syslog or any other problems i may encounter.

if this works, feel free to email me your paypal address for a tip/donation for your efforts

Sat, 07/13/2013 - 10:51

well cant we just disbale/enable dns to write the configuration for DNS back to each host? there is atleast 5-10 sites on the primary server and two on the secondary. all served off one domain, using subdomains.

and that sounds great. what is your preferred IM solution? i have skype installed, use facebook, and i think my skype is connected to an old hotmail/live account.

i will private message you with details

if i can figure out how lol...

(my skype is stevenp129)

Sat, 07/13/2013 - 11:20

Configuring two servers mutually as DNS master/slave is all okay, and works well if done correctly. :) Well actually, there's no real rocket science involved, just configure them mutually.

Let me know if you still need instant messenger assistance. My Paypal address is "XXXXX". Let me know when you fetched it, so I can edit it away to prevent spammer harvesting.

Sat, 07/13/2013 - 11:44

got it.

edit: sorry, just to be on the safe side i should give you my personal email in which you can contact me at, with further details on instant messaging

incase the dns server isnt playing nice atm with the original records


Sat, 07/13/2013 - 11:43

(edit/bump to your mailbox incase you didnt get the right email.) skype: (removed)

or just email me at that address, gmail is much like chat in the way its presented

Topic locked