#1
  1. PHP Coder
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Location
    Indianapolis, IN, USA
    Posts
    367
    Rep Power
    14

    secondary dns server question


    I am wondering if any one out there has a rsync or a rdist script that i can use to keep my secondary dns server upto date with out haveing to do it manualy. the problem i am having is that the rsync script that i have keeps on asking me for a password and becuase fo that i cant run it in a cron job. which sticks. so if anybody has anyother ideas as to how to help me it will be much appricated,
    Jon Whitcraft
    Web Applications Developer :: Zend Certified Engineer
    http://www.indianapolismotorspeedway.com/

    Originally said by Tyler Durden
    Our fathers were our models for God. If our fathers bailed, what does that tell you about God? Listen to me. You have to consider the possibility that God does not like you. He never wanted you. In all probability, he hates you. It's not the worst thing that can happen to you. We don't need him. **** damnation, man. **** redemption. We are God's unwanted children, SO BE IT! First you have to give up. First, you have to know, not fear, that someday, you're gonna die. It's only after we've lost everything that we're free to do anything.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    If you are not using it over ssh, you can set --password-file=/path/to/passwd rather than setting RSYNC_PASSWORD environment variable (unsafe).

    If use over ssh, go to rsync website and search the FAQ. It has been asked and answered.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Location
    Heerlen, The Netherlands
    Posts
    24
    Rep Power
    0
    Let me get this clear:

    You are using rdist or rsync to update your secondary DNS-server? We're talking DNS here, aren't we?

    Standard DNS (bind) provides for replication of DNS-zones by default. No need to use rsync or rdist for that.

    Peter
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> Standard DNS (bind) provides for replication of DNS-zones by default

    Perhaps jon_whitcraft is not using the buggy BIND software? BIND is one of the world most insecure software because of its design flaws. In djbdns, you would often use rsync over ssh to do zone transferring, which undoubtedly is far more secure.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Location
    Heerlen, The Netherlands
    Posts
    24
    Rep Power
    0
    Originally posted by freebsd
    >> Standard DNS (bind) provides for replication of DNS-zones by default

    Perhaps jon_whitcraft is not using the buggy BIND software? BIND is one of the world most insecure software because of its design flaws. In djbdns, you would often use rsync over ssh to do zone transferring, which undoubtedly is far more secure.
    Yeah, sure, with passwords in clear text in some file

    Very strong advice. Bind is as secure as you install it.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> Yeah, sure, with passwords in clear text in some file

    I do agree with you on this and don't suggest jon_whitcraft to implement rsync and use without user interaction. There are many scripts out there that can do dns replication automatically though.

    >> Very strong advice

    I didn't advice it. I was giving the only solution in regard to the insecure way of his practice with rsync. You can argue with the security or design of rsync itself all you want, I am not the author of it. I only suggest to use clear-text password with a strict 400 (-r--------) permission over setting RSYNC_PASSWORD environment.

    >> Bind is as secure as you install it

    Yes, you can claim it without fact. I respect you as a member but knowledge. BIND had a poor security record, as bad as sendmail and samba, and vulnerability will continue to be discovered, just because of its design flaws. 9.X helps a bit but not much.
    In case you have never heard of what djbdns is and its difference. Start here -> http://cr.yp.to/djbdns/notes.html and educate yourself before speaking in public.
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Location
    Heerlen, The Netherlands
    Posts
    24
    Rep Power
    0
    Yes, you can claim it without fact. I respect you as a member but knowledge. BIND had a poor security record, as bad as sendmail and samba, and vulnerability will continue to be discovered, just because of its design flaws. 9.X helps a bit but not much.
    In case you have never heard of what djbdns is and its difference. Start here -> http://cr.yp.to/djbdns/notes.html and educate yourself before speaking in public.
    Yes, I've heard of djbdns before, used it, didn't like it.

    I'm not going to start a flamewar because it's as useless as the Linux vs. *BSD discussion.

    But the fact remains, that BY DESIGN any DNS-implementation supports zonetransfers through the server, so rsync or rdist shouldn't be needed.

    from: RFC1034
    The general model of automatic zone transfer or refreshing is that one
    of the name servers is the master or primary for the zone. Changes are
    coordinated at the primary, typically by editing a master file for the
    zone. After editing, the administrator signals the master server to
    load the new zone. The other non-master or secondary servers for the
    zone periodically check for changes (at a selectable interval) and
    obtain new zone copies when changes have been made.
    Copying the zonefiles by rdist or rsync is as stupid as copying hosts-files to and fro which was done before DNS was invented.

    For instant education: http://rfc.net/rfc1034.html
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> BY DESIGN any DNS-implementation supports zonetransfers through the server, so rsync or rdist shouldn't be needed

    By design, zone transfers aren't a terribly secure mechanism for replicating DNS data. To compensate this, rsync over ssh should be used instead. Using rsync standalone is not recommended as I said previously. DNS protocol itself by design is not very secure. Fortunately, rsync supports communication over ssh. That said, zone transfer mechanism can't be any secure without some kind of encryption.

    I don't question you might not put security as your no#1 concern.

    Keep in mind, I have never suggested anyone to use rsync as a standalone.
  16. #9
  17. PHP Coder
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Location
    Indianapolis, IN, USA
    Posts
    367
    Rep Power
    14
    WOW i never though i would get this heated debate going. Here is what i am running. RedHat 7.0 + some updates, Sendmail and Bind 8.

    I was told by a friend that works at a local isp that rdist or rsync is the way to do it. so i installed both and cound not get them to work right. so i am gonna go check out that link and see if it helps me.

    Thanks again for all the info.
    Jon Whitcraft
    Web Applications Developer :: Zend Certified Engineer
    http://www.indianapolismotorspeedway.com/

    Originally said by Tyler Durden
    Our fathers were our models for God. If our fathers bailed, what does that tell you about God? Listen to me. You have to consider the possibility that God does not like you. He never wanted you. In all probability, he hates you. It's not the worst thing that can happen to you. We don't need him. **** damnation, man. **** redemption. We are God's unwanted children, SO BE IT! First you have to give up. First, you have to know, not fear, that someday, you're gonna die. It's only after we've lost everything that we're free to do anything.
  18. #10
  19. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Location
    Heerlen, The Netherlands
    Posts
    24
    Rep Power
    0
    WOW i never though i would get this heated debate going
    A little debate can do no harm. FreeBSD and I don't hate each other, just have different opinions (that is: excluding his last post. With that post I agree )

    It's always good to hear other people's opinion.

    Hope it helped you a bit, though.

IMN logo majestic logo threadwatch logo seochat tools logo