Creating a nameserver

Nameservers are a key piece of infrastructure for reliability. They can be used to route around bad frontends (see the overview for more details). It's important that we have a stable and easily updateable nameserver. We have chosen for NSD (name server deamon) from NLnet Labs . We can control this nameserver mostly using the paphosting user, but to (re)start the nameserver (which binds port 53), we will require root access. We can use the handy nsdc wrapper.

A1) Using OpenBSD

1. OpenBSD 5.0+ ships NSD in base!

Our config works with OpenBSD 5.5 and beyond (respecting the /var/nsd chroot).
chown -R _nsd:_nsd /var/nsd
chown -R paphosting:_nsd /var/nsd/{etc,zones}
chmod 775 /var/nsd/zones/slave
# Add user paphosting to group _nsd
sed -e 's,^_nsd:\*:[0-9]*:.*,&\,,' \
  -e 's,^_nsd:\*:[0-9]*:,$,&paphosting,' \
  group > group.new && mv group.new group
echo "nsd_flags=\"\"" >> rc.conf.local
echo "paphosting ALL = NOPASSWD: /etc/rc.d/nsd" >> sudoers
We'll rsync to the machine and run nsdc rebuild as user paphosting. This writes config to /var/nsd/etc/ and /var/nsd/zones and rebuild outputs to /var/nsd/db/nsd.db by nsd at startup. We call /usr/local/bin/pap_nsdreload as user paphosting to restart/reload the server.

A2) Using Ubuntu/Debian

Install nsd:
apt-get install nsd
Make the paphosting nsd config dir, adding paphosting user to nsd group (almost matching our OpenBSD setups):
usermod -a -G nsd paphosting
mkdir -p /var/nsd /var/nsd/etc /var/nsd/zones
chown -R nsd:nsd /var/nsd/
chown -R paphosting:nsd /var/nsd/{etc,zones}
echo "paphosting ALL = NOPASSWD: /etc/init.d/nsd" >>/etc/sudoers
Tell the Debian nsd where to find the paphosting nsd configs:
cat << EOF >/etc/nsd3/nsd.conf 
server:
	hide-version: yes
	zonesdir:     /var/nsd/zones

include: /var/nsd/etc/paphosting/nsd.pap.conf
include: /var/nsd/etc/paphosting/paphosting.master.conf
include: /var/nsd/etc/paphosting/paphosting.slave.conf
EOF

B) Configuring PAPNS

1. Add the machine to config/dns.hosts

On your client, add the hostname (any hostname or IPv4 or IPv6 address to which you can connect on the ssh port:
echo $HOSTNAME >> config/dns.hosts
mkdir -p dns/config/${HOSTNAME}
# See other nsd.pap.conf for inspiration
vi dns/config/${HOSTNAME}/nsd.pap.conf
svn commit config/dns.hosts \
  dns/config/${HOSTNAME}/nsd.pap.conf

2. Ensure you can SSH into the machine as paphosting

From your client, try to SSH as paphosting into the machine. Once you're there, you should make sure that the paphosting user can run the NSD scripts as root. You should now be able to run sudo /etc/rc.d/nsd start as the paphosting user (assuming on OpenBSD you have edited rc.conf.local). On Ubuntu, you'll run /etc/init.d/nsd instead.

3. Force a push of the nsd configs

On your client, try to do a nsd push
scripts/dns-push.sh -v -n
# If this looks good, then:
scripts/dns-push.sh -f

4. Check to make sure it works

You can now use the machine to register zones,assuming of course that you have verified it actually works, something like:
dig @${HOSTNAME} SOA paphosting.nl.
host -t SOA paphosting.nl. ${HOSTNAME}
EOF :)