< Previous | Contents | Next >
2.4. Secondary Master
Once a Primary Master has been configured a Secondary Master is needed in order to maintain the availability of the domain should the Primary become unavailable.
First, on the Primary Master server, the zone transfer needs to be allowed. Add the allow-transfer option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
};
zone "1.168.192.in-addr.arpa" { type master;
file "/etc/bind/db.192"; allow-transfer { 192.168.1.11; };
};
Replace 192.168.1.11 with the IP Address of your Secondary nameserver.
Restart BIND9 on the Primary Master:
sudo systemctl restart bind9.service
Next, on the Secondary Master, install the bind9 package the same way as on the Primary. Then edit the /etc/ bind/named.conf.local and add the following declarations for the Forward and Reverse zones:
zone "example.com" { type slave;
file "db.example.com"; masters { 192.168.1.10; };
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "db.192";
masters { 192.168.1.10; };
};
Replace 192.168.1.10 with the IP Address of your Primary nameserver.
Restart BIND9 on the Secondary Master:
sudo systemctl restart bind9.service
In /var/log/syslog you should see something similar to (some lines have been split to fit the format of this document):
client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa' zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53: connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53: Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)
client 192.168.1.10#20329: received notify for zone 'example.com' zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using 192.168.1.11#38577 zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1 messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)
Note: A zone is only transferred if the Serial Number on the Primary is larger than the one on the Secondary. If you want to have your Primary Master DNS notifying Secondary DNS Servers of zone changes, you can add also-notify { ipaddress; }; in to /etc/bind/named.conf.local as shown in the example below:
zone "example.com" { type master;
file "/etc/bind/db.example.com"; allow-transfer { 192.168.1.11; }; also-notify { 192.168.1.11; };
};
zone "1.168.192.in-addr.arpa" { type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; }; also-notify { 192.168.1.11; };
};
The default directory for non-authoritative zone files is /var/cache/bind/. This directory is also configured in AppArmor to allow the named daemon to write to it. For more information on AppArmor see Section 4, “AppArmor” [p. 194].