From fea960a52a06194809b831f96259c56e72eb542b Mon Sep 17 00:00:00 2001 From: Jeffrey Forman Date: Mon, 7 Jan 2013 21:03:43 -0500 Subject: [PATCH 1/2] Major documentation update on readme. Provide examples and workflow for getting binder running. --- README.markdown | 80 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 24 deletions(-) diff --git a/README.markdown b/README.markdown index d9239b4..332f4d3 100644 --- a/README.markdown +++ b/README.markdown @@ -1,37 +1,73 @@ # Binder # -Home: -A Django web application for viewing and editing your BIND DNS zones. +A Django web application for viewing and editing BIND DNS zone records. + +Binder supports adding and deleting DNS records (and eventually editing in place). TSIG-authenticated transfers and updates are supported. ## Requirements ## Packages: * [Django](http://www.djangoproject.com) -* Python - * [python-beautifulsoup](http://www.crummy.com/software/BeautifulSoup/) - * [python-dnspython](http://www.dnspython.org/) - * python-sqlite (if you will be using sqlite during development) -* [Bind DNS Server](http://www.isc.org/software/bind). At least version 9.5.x, which is needed for gathering remote statistics. +* Python Modules + * [python-beautifulsoup](http://www.crummy.com/software/BeautifulSoup/) + * [python-dnspython](http://www.dnspython.org/) + * [python-sqlite](http://docs.python.org/2/library/sqlite3.html) (If you will be using Sqlite for server and key storage) +* [Bind DNS Server](http://www.isc.org/software/bind). At least version 9.5.x, which provides instrumentation for gathering process and zone statistics remotely. ## Installation & Configuration ## +The Binder repository is housed in a [Github](http://github.com/jforman/binder) repository. The repo containts all the Django code and example configuration data for running Binder both in development and production. + +To verify that required and optional dependencies are installed, execute [check-dependencies.py](https://github.com/jforman/binder/blob/master/check-dependencies.py). This script checks that various Python modules will import correctly. + +Binder is intended to be installed into the /opt directory in /opt/binder. Forthcoming deb packages will provide for this easy installation and upgrades. + +Provided under the config directory are various example configurations for runing Binder: + +config/ + +* binder-apache.conf.dist: Name-based virtual host configuration for running Binder under Apache. +* django.wsgi: WSGI configuration file called by Apache to run Binder. +* binder-nginx.conf.dist: Name-based virtual host configuration for running Binder under Nginx using fcgi. +* binder-upstart.conf.dist: Ubuntu Upstart configuration file for starting Binder upon machine startup. + +binder/ + +* local_settings.py: Local settings called by Binder templates for TTL choices, record types handled, etc. + +The development server is run as most Django dev servers are run. + + /opt/binder/manage.py syncdb + /opt/binder/manage.py runserver + +Once you have the Django server up and running, you will want to configure at least one BIND server in the Django Admin app. This includes a hostname, TCP statistics port and a default TSIG transfer key to be used when doing AXFR actions (if necessary). + +Keys should also be created, if needed. The name of the key should match the contents of the below noted key file. Along side the name, key data and type should also be specified. + +Once these two pieces of configuration are done, open up [http://yourserver:port/](http://yourserver:port) to access Binder and begin DNS zone management. + ### BIND Name Servers ### -In each of the BIND servers you wish to be able to query, the following stanza will be needed in your named.conf: -This tells BIND to publish statistics on all interfaces on tcp port 853. There is a simple ACL allowing localhost and the noted subnet, 10.10.0.0/24, to access statistics. This can be verified by querying your DNS server with your perferred web browser at [http://dnsserver:853](http://dnsserver:853/) +When Binder accesses your BIND DNS server, it first queries the statistics port to gather various zone information. This data includes zone name, view, and serial number. This is all configured by some of the following configuration examples. -In each zone specification, you will need to determine how locked down you want zone updates and transfer to be. +#### Key Configuration #### + +##### named.conf ##### + +We must provide server statistics from the BIND process itself. This allows Binder to query BIND itself and get a list of zones, views, and other statistics. + + statistics-channels { + inet * port 8053 allow { 10.10.0.0/24; }; + }; + +This tells bind to start an HTTP server on port 8053 on all interfaces, allowing 10.10.0.0/24 to make requests on this interface, http://${bind_server}:8053/. You will most likely want to narrow down the subset of hosts or subnets that can query BIND for this data. This data can be viewed via your choice of Browser, or read by your favorite programming language and progamatically processed by your choice of XML library. include "/etc/bind/dynzone.key"; - statistics-channels { - inet * port 853 allow { 10.10.0.0/24; }; - }; +This tells Bind to load a TSIG key from dynzone.key that can be referenced later in named.conf. - controls { - inet * port 953 allow { 10.10.0.0/24; } keys { dynzone-key; }; - }; +Moving on to zone declaration, determine how locked down you want zone updates and transfers to be. The following zone is defined to allow all zone transfers, but restrict updates to those provided with the dynzone-key TSIG key. zone "dynzone.yourdomain.org" IN { type master; @@ -39,17 +75,13 @@ In each zone specification, you will need to determine how locked down you want allow-update { key dynzone-key; }; }; -Where /etc/bind/test.key: +##### /etc/bind/dynzone.key ##### + +Below are the entire contents of the dynzone.key file. This specifies the name, algorith and TSIG secret. key dynzone-key { algorithm hmac-md5; secret "foobar...BhBrq+Ra3fBzhA4IWjXY85AVUdxkSSObbw3D30xgsf....."; }; -### Django Application ### - -Deploy the Django application as you see fit, and create the database via `manage.py syncdb`. - -Using the Admin UI, add each DNS Server to the 'Bind Servers' model. - -Once you have completed this, surf over to the URL where the binder Django app is installed and enjoy. +referenced as 'dynzone-key' in named.conf From 323375ead7a44defb40efc157af05fe2175501e8 Mon Sep 17 00:00:00 2001 From: Jeffrey Forman Date: Mon, 7 Jan 2013 21:22:58 -0500 Subject: [PATCH 2/2] clean up section headers for bind, and add explanation for ancillary config files --- README.markdown | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/README.markdown b/README.markdown index 332f4d3..a68e329 100644 --- a/README.markdown +++ b/README.markdown @@ -47,13 +47,11 @@ Keys should also be created, if needed. The name of the key should match the con Once these two pieces of configuration are done, open up [http://yourserver:port/](http://yourserver:port) to access Binder and begin DNS zone management. -### BIND Name Servers ### +### BIND DNS Server ### When Binder accesses your BIND DNS server, it first queries the statistics port to gather various zone information. This data includes zone name, view, and serial number. This is all configured by some of the following configuration examples. -#### Key Configuration #### - -##### named.conf ##### +#### named.conf #### We must provide server statistics from the BIND process itself. This allows Binder to query BIND itself and get a list of zones, views, and other statistics. @@ -75,7 +73,7 @@ Moving on to zone declaration, determine how locked down you want zone updates a allow-update { key dynzone-key; }; }; -##### /etc/bind/dynzone.key ##### +#### /etc/bind/dynzone.key #### Below are the entire contents of the dynzone.key file. This specifies the name, algorith and TSIG secret. @@ -85,3 +83,21 @@ Below are the entire contents of the dynzone.key file. This specifies the name, }; referenced as 'dynzone-key' in named.conf + +### Related Configuration ### + +#### Apache HTTPD #### + +If you are using Apache to front-end your Binder Django app, the following two configuration files can be used as starting points. + +[binder-apache.conf.dist](https://github.com/jforman/binder/blob/master/config/binder-apache.conf.dist): Apache virtual host configuration file to be inclued in your apache.conf. Values provide for Binder to run on its own virtual host, separate logs, etc + +[django.wsgi](https://github.com/jforman/binder/blob/master/config/django.wsgi): WSGI configuration file used by Apache to run the actual Django app. + +#### Nginx #### + +[binder-nginx.conf.dist](https://github.com/jforman/binder/blob/master/config/binder-nginx.conf.dist): Nginx virtual host configuraiton. This configuration expects Django to be running in fcgi mode on port 4001 on 127.0.0.1. + +#### Ubuntu Upstart #### + +To have Binder start upon system boot, if you are running Ubuntu, I have provided an [example Upstart configurarton](https://github.com/jforman/binder/blob/master/config/binder-upstart.conf.dist) to be installed in /etc/init/.