The Network People Support Forums

Other TNPI Software => NicTool => Topic started by: LogicX on December 14, 2004, 11:32:35 AM

Title: NicTool Synopsis
Post by: LogicX on December 14, 2004, 11:32:35 AM
After spending a few weeks working with Nictool, and getting it all setup, and reading through far more of the code than I ever had desire to, I'd like to make a large general post about my setup, my feelings torward nictool and djbdns, and notes for what to look out for in your setup.

Background

I've previously only used BIND 8.4.x, manually modifying named.conf on primary and secondary servers, manually creating zone files on primary, and using TSIG keys to replicate changes to the secondaries.  Approaching nearly 300 zones, things were getting out of control.

Scope of Setup

I now have a NicTool network consisting of 4 Servers:


Limitations


Patches/Fixes

The Future

I'd like to find or code the following addons:

Conclusion

I now have a very nice, working DNS setup where I don't have to worry about secondaries being out of sync, or there being much replication time. (with the time set to 120 seconds, and md5 comparisons enabled)
djbdns seems to strive to be a very simplistic DNS daemon.  Minimal frills, privilege separation, and task separation. (even TCP and UDP requests are handled by separate daemons).

The amount of time that this current will save me was well worth the time to get it setup.  Also the perspective I now have of all zones, especially with the description field, is priceless.

I think that NicTool has extreme potential to change the world of DNS, albeit with some improvements in documentation and implementation guides.  I encourage anyone who installs it to contribute back some suggestions, patches, or documentation, as the original developers have obviously put a lot of hard work into making NicTool very usable, and universal.
Title: Re: NicTool Synopsis
Post by: mike_tcis on December 14, 2004, 01:16:37 PM
A few additions to your excellent synopsis:

- If installing on FreeBSD via ports, you must have Apache2 and MySQL installed prior to installing the Perl modules (probably obvious, but its good to document every step anyway)

- Install mod_perl2 from ports prior to installing p5-Apache-DBI

- When installing p5-Apache-DBI, you'll need to use:

make install WITH_MODPERL2=YES

..otherwise it looks for mod_perl and fails.

--Mike
Title: Re: NicTool Synopsis
Post by: matt on December 14, 2004, 04:26:43 PM
Excellent job Mike, very nice work.  I'll add a link to this post from the nictool.com install pages.  I have also rated the topic highly, but I'm not sure what that effects.

Matt
Title: tinydns security concern
Post by: LogicX on March 22, 2005, 06:24:19 PM
I just realized that the chown -R command I instruct to be run on /usr/local/tinydns-ns.domain.com is creating a security vulnerability.

because the /usr/local/tinydns-ns.domain.com/run file is then owned by bind, and not root, if tinydns were compromised the run file could host any number of commands which would then run as root the next time supervise executes it.

The run file should be owned by root:wheel so that it is not abled to be modified by an unprivileged user.

I'll update the main instructions.
Title: Re: NicTool Synopsis
Post by: rainer_d on June 15, 2005, 04:47:58 AM
I have a question about the various directories involved.

In the GUI, I have to enter a path for the data-directory of the namserver.
Then, this article talks about creating a special tinydns-user.

The install.pl script requires a directory, too.

So, which one is which? And what permissions do I need exactly ?

I've used

tinydns-conf bind bin /usr/local/tinydns-bla ...
(and used that service's data-directory as data-directory in the GUI-dialog)

and a seperate tinydns user with $HOME /usr/home/tinydns.

I assume, the data-directory in /usr/local/tinydns-bla.. needs to be writeable by the tinydns-user (not "bind").
And the "directory" for the install.pl-script is ~tinydns/bla?


I've run
./install.pl /usr/home/tinydns/dns-1 3 tinydns bin localhost nictool nictool PASSWORD mysql -r md5 -force -noserials -buildcdb

and got:

print() on closed filehandle O at ./install.pl line 62, <F> line 1.
print() on closed filehandle O at ./install.pl line 62, <F> line 2.
cannot create /usr/home/tinydns/dns-1/env/NT_DB_HOST_NAME: No such file or directory
cannot create /usr/home/tinydns/dns-1/env/NT_DB_NAME: No such file or directory
cannot create /usr/home/tinydns/dns-1/env/NT_DB_PASSWORD: No such file or directory
cannot create /usr/home/tinydns/dns-1/env/NT_DB_TYPE: No such file or directory
cannot create /usr/home/tinydns/dns-1/env/NT_DB_USER_NAME: No such file or directory
chown: /usr/home/tinydns/dns-1/log/status: No such file or directory
chown: /usr/home/tinydns/dns-1/log/main: No such file or directory


Any ideas?

Rainer
Title: Re: NicTool Synopsis
Post by: rainer_d on June 15, 2005, 08:48:13 AM
rainer_d wrote on Wed, 15 June 2005 12:47

I have a question about the various directories involved.

In the GUI, I have to enter a path for the data-directory of the namserver.
Then, this article talks about creating a special tinydns-user.





OK, I got it working, sort of.
The install.pl script had a little error (for me) in that it said:
system("cp -rf sample $dir");

but it seems to be better to say
system("cp -rf sample/* $dir");


After that, it copies all the directories and let's me run the synchronisation-process.


Rainer