yadifa DNS master with Hurricane Electric slaves

this explains in short terms how to setup a yadifa DNS server which is backed up by Hurricane Electrics free DNS service.

installing yadifa

yadifa is availabla packaged for some distributions, with slackware you have to install it by compiling it from the script found on SlackBuilds.org.

at the time of writing, SBo is in freeze awaiting the release of Slackware 15. the version available for Slackware 14.2, 2.4.0 is a bit outdated. meanwhile the maintainer sergej has fixed the script for -current and i took the liberty to update this to 2.5.3 in my own repository of slackbuilds.

after you installed yadifa, you have to customize the config of yadifad and yadifa (the control program).


following are sanitized and commented versions of my configuration. yadifas reference manual is excellent, in doubt just look things up there!


this is the configuration of the nameserver daemon.

    allow-control             yadifa-control
    keys-path                 /var/lib/yadifa/zones/keys
    data-path                 /var/lib/yadifa/zones
    log-path                  /var/log/yadifa
    pid-file                  /var/run/yadifa/yadifad.pid
    max-tcp-queries           100
    tcp-query-min-rate        6000
    answer-formerr-packets    yes
    serverid                  ns.example.org # change to the FQDN of your nameserver
    user                      yadifa
    group                     yadifa
    statistics                no
    statistics-max-period     60
    version                   "000"

    # limit access to control functionality to this key (defined further down and ip)
    yadifa-control          key "controller-key";;::1/128 
    # ACL to limit AXFR and IXFR to Hurricane Electric servers
    he-dns        ;2001:470:600::2/128 

# key to secure access to the control functionality
    name            "controller-key"
    algorithm       "hmac-md5"
    secret          "longsecretstring"

    enabled true

# identification string of your nameserver, FQDN should suffice
    ascii "ns.example.org"

    responses-per-second        5
    errors-per-second           5
    slip                        10
    log-only                    off
    ipv4-prefix-length          24
    ipv6-prefix-length          56
    enabled                     yes

# log to syslog, facility "local6" and include PID in logged messages
    syslog                  syslog local6,pid

# just log everything
    database        info,warning,err,crit,alert,emerg    syslog
    server          info,warning,err,crit,alert,emerg    syslog
    system          info,warning,err,crit,alert,emerg    syslog
    zone            info,warning,err,crit,alert,emerg    syslog

# zone to serve, this section can be included multiple times for different zones
    # domain name of the zone
    domain                  example.org

    # zone file
    file                    "masters/example.org.zone"

    # master or slave zone
    type                    "master"

    # allow transfers for this ACL
    allow-transfer          he-dns

    # HE uses two different servers one for transfers (slave.dns.he.net), one
    # to receive notifications (ns1.he.net). this sets up the right target
    # for notifications and disables the default behavior to
    # send it to the servers allowed for transfers. 
    # notify this server about changes

    # disable notifications for servers in the transfer ACL
    notify-auto             false


this is the configuration of the control-client-program

    tsig-key-name "controller-key"

    name            "controller-key"
    algorithm       "hmac-md5"
    secret          "longsecretstring"

zone files

now that the daemon configuration is in place, you can put the zone data into /var/lib/yadifa/zones/masters/example.org.zone. how to write a zone file is left as excercise to the reader :^)

afterwards the daemon can be started (on slackware) with /etc/rc.d/rc.yadifad start. don't forget to put it into rc.local and rc.local.shutdown to have it start/stop on system boot and shutdown.

Hurricane Electric setup

if you are a HE IPv6 certification holder or have a tunnelbroker account, you can also use HEs free DNS service.

before you can add replication to Hurricane Slectric servers, you have to setup a few things:

if you've done this and changes have applied everywhere, log into the DNS service and choose "Add a new slave". in the following form insert your domain name and your nameserver as master. if you have further restricted transfers with a key, also insert that. after you click on "Add Slave!" a few sanity checks will be performed and your slave zone is added (it might take a few minutes for the initial transfer to happen).