This is an old revision of the document!
BALUG DNS
The care and feeding of the BALUG DNS server.
The
BALUG DNS server should not interfere with other
DNS service(s) or other non-BALUG services on the host (and vice versa)
To
avoid accidentally shutting down, signaling, etc. the incorrect DNS server, use the proper -balug commands/pathnames/scripts, e.g. for most normal operations one should only need to use:
Along those non-interference regards:
the
BALUG DNS server should (generally) only use its designated IP address(es) - see: IP Addresses
it should
not listen on other IPs (most notably for
DNS)
the one exception so far, is it
does listen for control (rndc) connection on a non-default port on 127.0.0.1 - again,
do use the appropriate -balug commands to avoid accidentally operating on the incorrect
DNS server.
The BALUG
DNS server runs using user:group balugdns:balugdns. Note that
for security reasons, to the extent feasible (and as appropriate),
user balugdns and group balugdns should not have access to alter any content on the host or have any special privileges on the host. Note that it
may be permissible for user balugdns or group balugdns to alter some files where that is explicitly desired (e.g. PID files, statistics dump files, cache dump files, slave files). Note also that in general, user balugdns or group balugdns needs read access to master zone files to be served (generally read access on files, and read and "execute"(/search) on directories and ancestor directories).
in general, only superuser (UID 0, a.k.a. "root") should be able to alter BALUG
DNS files (most notably master zone files). The BALUG
DNS (running in chroot environment, with user and group balugdns) should mostly only be able to alter the few exception files (or contents of directories needed to support such), noted above (e.g. PID files, etc.).
THE PRIMARY PURPOSE FOR THE BALUG DNS SERVER is for serving
DNS zones of interest to BALUG and/or any other such hosting BALUG deems appropriate or wishes to do for folks/organizations (e.g. reciprocal or hosted slave services, etc.)
Note that version control (RCS) has been put in place for at least a few key files, it should be appropriately used to track changes and note the reason(s) why change(s) were made. It is also generally advisable to preserve mtimes, e.g.:
# ci -d -l -M file
THE STATE OF BALUG.ORG. DNS
AT LEAST AT THE PRESENT TIME (2007-05-28), PLEASE NOTE THE FOLLOWING:
At least
some Internet DNS has been delegated to this DNS server (but not yet balug.org.)
This is subject to change - most current information can probably be found by:
as of 2007-05-26 this host
should have complete balug.org. zone data (can't do a zone transfer, but as of 2007-05-26 at least Michael Paoli and Jim Stockford should have the access to review what should be all the data that's in the delegated balug.org.
DNS), hence the zone data on this host
should be complete (with some additional bits of data such as SOA and TTLs determined via responses to
DNS queries); it is
possible (but unlikely at this point) that some zone data may be missing.
the various configuration and zone files contain much more relevant detail, including what's noted in the comments.