Spent a wonderful 6 hours setting up djbdns (tinydns + dnscache) as a secondary name server. I managed to hack together a working solution, but am confused as to why it did not work out of the box.
Both primary & secondary name servers live behind a Cisco ASA, external IPs get NAT'd to appropriate internal subnets, in this case DMZ for the name servers.
Primary NS is run by a Plesk-type CP, so djbdns configuration is all GUI, and runs fine. Now, until I discovered the extortion that is secondary name server hosting, I was considering offloading this task to a 3rd party. No thanks, trop cher for this frere. Anyway, roll-your- own-time: have a file server sitting in colo rack not doing much of anything, let's put it to work.
Following this tutorial:
http://www.howtoforge.com/clean-djbdns-dns-server-on-centos-dnscache-and-tinydns-a-to-z
I got everything installed just fine; however, nothing worked, or at least only digs against localhost worked. I needed dig@dmz-ip foo.com to resolve.
Not knowing any better, I hacked the dnscache & tindns env/IP files, reversing them, so tinydns listens on dmz and dnscache on localhost. Restarted both services and voila, was able to dig from remote laptop to secondary name server IP and resolve the domains that we host, wonderful.
So, I thought, well I should do this properly, and blew away everything, reinstalled, and set tinydns to listen on dmz and dnscache on localhost (as I had done in manually hacking env/IP files). Tried to dig @localhost foo.com, nada; same deal with dig@dmz-ip foo.com. WTF? Yes, wtf. In Noob mode, I tried tindyns on localhost, both on dmz, etc., nothing worked.
In the end I installed dnscache on the dmz, tinydns on localhost, and then env/IP reversed them (dnscache on localhost & tinydns on dmz). It's the only way I've found to get them working, and am completely at a loss as to why I could not just install without having to hack env/IP files.
djbdns users, feel free to chime in, am glad I finally have a working setup, but that was a hellacious evening, would like a clean setup if at all possible...
Before starting to do something strange and hacked you should know what you are trying to achieve. This means to understand the meaning and the concept of a secondary name server. Which is not a caching or forwarding DNS server. Also having both DNS servers sitting in one network (behind NAT) absurds the concept.
First thing would be to read RFC 1034, RFC 1995, RFC 1996 and probably this draft. Then you can rethink your setup and probably come to the conclusion that the best software for doing this job would be BIND.
Would have been nice to have found this thread (by DJB himself) in my Google searches last night:
Took @10 minutes to setup, grab data.cdb from production name server, and off to the races, double barrel name servers. 6 hours vs. 10 minutes, time lost, but I guess I learned a few things along the way.
@mailq brought up excellent points, but for quick & dirty budget hosting, 3rd party secondary name server, BIND, etc., not happening in this scenario. I have a working setup, non-hacked as per above link, that dovetails nicely with CP-driven primary name server, and works behind the ASA, cool stuff (when it works that is ;-))