October 25th, 2001, 10:53 AM
secondary dns server question
I am wondering if any one out there has a rsync or a rdist script that i can use to keep my secondary dns server upto date with out haveing to do it manualy. the problem i am having is that the rsync script that i have keeps on asking me for a password and becuase fo that i cant run it in a cron job. which sticks. so if anybody has anyother ideas as to how to help me it will be much appricated,
October 26th, 2001, 02:44 AM
If you are not using it over ssh, you can set --password-file=/path/to/passwd rather than setting RSYNC_PASSWORD environment variable (unsafe).
If use over ssh, go to rsync website and search the FAQ. It has been asked and answered.
October 26th, 2001, 05:35 AM
Let me get this clear:
You are using rdist or rsync to update your secondary DNS-server? We're talking DNS here, aren't we?
Standard DNS (bind) provides for replication of DNS-zones by default. No need to use rsync or rdist for that.
October 26th, 2001, 06:03 AM
>> Standard DNS (bind) provides for replication of DNS-zones by default
Perhaps jon_whitcraft is not using the buggy BIND software? BIND is one of the world most insecure software because of its design flaws. In djbdns, you would often use rsync over ssh to do zone transferring, which undoubtedly is far more secure.
October 26th, 2001, 06:37 AM
Yeah, sure, with passwords in clear text in some file
Very strong advice. Bind is as secure as you install it.
October 26th, 2001, 07:08 AM
>> Yeah, sure, with passwords in clear text in some file
I do agree with you on this and don't suggest jon_whitcraft to implement rsync and use without user interaction. There are many scripts out there that can do dns replication automatically though.
>> Very strong advice
I didn't advice it. I was giving the only solution in regard to the insecure way of his practice with rsync. You can argue with the security or design of rsync itself all you want, I am not the author of it. I only suggest to use clear-text password with a strict 400 (-r--------) permission over setting RSYNC_PASSWORD environment.
>> Bind is as secure as you install it
Yes, you can claim it without fact. I respect you as a member but knowledge. BIND had a poor security record, as bad as sendmail and samba, and vulnerability will continue to be discovered, just because of its design flaws. 9.X helps a bit but not much.
In case you have never heard of what djbdns is and its difference. Start here -> http://cr.yp.to/djbdns/notes.html and educate yourself before speaking in public.
October 26th, 2001, 07:24 AM
Yes, I've heard of djbdns before, used it, didn't like it.
I'm not going to start a flamewar because it's as useless as the Linux vs. *BSD discussion.
But the fact remains, that BY DESIGN any DNS-implementation supports zonetransfers through the server, so rsync or rdist shouldn't be needed.
Copying the zonefiles by rdist or rsync is as stupid as copying hosts-files to and fro which was done before DNS was invented.
For instant education: http://rfc.net/rfc1034.html
October 26th, 2001, 07:47 AM
>> BY DESIGN any DNS-implementation supports zonetransfers through the server, so rsync or rdist shouldn't be needed
By design, zone transfers aren't a terribly secure mechanism for replicating DNS data. To compensate this, rsync over ssh should be used instead. Using rsync standalone is not recommended as I said previously. DNS protocol itself by design is not very secure. Fortunately, rsync supports communication over ssh. That said, zone transfer mechanism can't be any secure without some kind of encryption.
I don't question you might not put security as your no#1 concern.
Keep in mind, I have never suggested anyone to use rsync as a standalone.
October 26th, 2001, 09:12 AM
WOW i never though i would get this heated debate going. Here is what i am running. RedHat 7.0 + some updates, Sendmail and Bind 8.
I was told by a friend that works at a local isp that rdist or rsync is the way to do it. so i installed both and cound not get them to work right. so i am gonna go check out that link and see if it helps me.
Thanks again for all the info.
October 26th, 2001, 09:36 AM
A little debate can do no harm. FreeBSD and I don't hate each other, just have different opinions (that is: excluding his last post. With that post I agree )
It's always good to hear other people's opinion.
Hope it helped you a bit, though.