Home / server / Questions / 669819
Accepted
Andrew B
Asked: 2015-02-20 02:08:50 +0800 CST

How can I manage all of my domains with minimal configuration?

  • 772

This is a Canonical Question about DNS server administration.

I have one hundred or so domains. All of these domains need to be configured identically, but it seems like a huge waste of time to have to configure a new zone and/or zonefile for every one of these domains. There has to be a better way to automate this!

I think I'm on to something...if I create a zone called ., or use some other feature in my DNS software to always return a specific IP when an A record is requested, this seems to get me pretty close to my desired end result. My server is responding authoritatively to the requests and it's so much easier to manage!

This was working great until nameserver validation software started checking these domains. I figured out that I can make most of the errors go away by adding NS records, but my software won't let me put more than one SOA record in the same zone file.

How do I work around this multiple SOA record problem?

domain-name-system

4 Answers

  1. Best Answer

    Unless I'm misunderstanding the question, I do this regularly with BIND, and it seems to be fine as long as each zone is absolutely identical.

    On my primary nameserver, I have named.conf entries that point to the generic zonefile, eg

    zone "example.com" {
        type master;
        file "primary/example.GENERIC";
};

zone "example.co.uk" {
        type master;
        file "primary/example.GENERIC";
};

    and then a zonefile primary/example.GENERIC which says, eg

    ;; Start of Authority
@       IN      SOA     ns.teaparty.net. dns.gatekeeper.ltd.uk. (
                        2004091201      ; serial number YYYYMMDDNN
                        28800           ; refresh  8 hours
                        7200            ; retry    2 hours
                        864000          ; expire  10 days
                        3600 )          ; min ttl  1 day
;;
;;      Name Servers
                IN      NS      ns.teaparty.net.
                IN      NS      ns2.teaparty.net.

    And I'm not aware of any problems with these zones at all. I'm open to being told that I've misunderstood the question, or that my domains in fact don't work, but until then I think it works for me.

    Note that you cannot pull the same trick on the secondary; each zone will require a different file to be stored in. But since the contents of that file will be populated and kept up-to-date by zone xfers from the primary, this isn't a huge deal.

    • 12

  2. Short Answer

    If you're looking for a "zero configuration" setup in BIND, it doesn't exist. Setting up a root zone (.) seems like a good idea, but it's not, and you need to find a solution that doesn't involve breaking DNS to suit your needs.

    Long Answer

    We've been getting variants of this question several times in the past year.

    The answer is pretty simple here: you can't set up a single zone definition. Any software that lets you define or otherwise synthesize multiple SOA records in this context is broken software, and doing broken things is not on topic for ServerFault. You either need to choose DNS software that makes this management simpler for you, or you need to come up with a different strategy that does not involve this particular shortcut.

    There are definitely some tricks you can use to make life easier...using BIND as an example, it's fairly commonplace to define multiple zones that all reference the same template zone file. This is perfectly legal and validation software will find nothing wrong with it: see MadHatter's answer. Most people pass over this solution because it's still "too much work" to add a zone declaration every time a new domain is acquired, but there is no "configure it once and walk away" option for this kind of hosting.

    Newer versions of BIND support an option called allow-new-zones that will let you dynamically create zone definitions on the fly via the new rndc addzone functionality. You might want to take a look at this and see if it fits your needs.

    Other than that the suggested solutions, your options are somewhat limited. Sometimes you're just stuck with doing the work if the software doesn't do things the way you want it to.

    • 4

  3. There are a number of shortcuts you can use to make your life easier:

    If you use Bind or similar software that uses files to store the zone data: point your zones to the same file for example:

    zone "example.net" {
    type master;
    file "/etc/bind/zone/default.zone";
};

zone "example.org" {
    type master;
    file "/etc/bind/zone/default.zone";
};

    Because you can make use of certain DNS shorthands you can create a universal zone file: 

    $TTL 1h      ; default expiration time of all resource records without their own TTL value
@  IN  SOA   ns1.example.com. username.example.com. ( 
                               20140218131405 ; Serial number YYYYMMDDHHMMSS
                                        28800 ; Refresh     8 hours
                                         7200 ; Retry       2 hours
                                       604800 ; Expire      7 days
                                        86400 ; Minimum TTL 1 day )
@             IN  NS    ns1.example.com.      ; ns1.example.com is a primary nameserver
@             IN  NS    ns2.example.com.      ; ns2.example.com is a backup nameserver
@             IN  MX    10 mail.example.com.  ; mail.example.com is the mailserver
@             IN  MX    20 mail2.example.com. ; the secondary mailserver
@             IN  A     192.0.2.1             ; IPv4 address for the bare domain
              IN  AAAA  2001:db8:10::1        ; IPv6 address for the bare domain
www           IN  A     192.0.2.1             ; www.domain
              IN  AAAA  2001:db8:10::1        ; IPv6 address for www.domain - note by starting the line with a blank it becomes the continuation of the previous record and this IPv6 record applies to www
wwwtest       IN  CNAME www                   ; wwwtest is an alias for www

    This makes use of the fact that the hostnames in zone files that don't end with a dot . are always expanded with the $ORIGIN which in turn is implicitly set to the zone name. And @ is short-hand for the $ORIGIN.

    Rather than maintain individual zone files by hand, enable a method interact programmatically with your name servers.

    I've used PowerDNS which allows for a RDMS as a back-end which fit in very well with the LAMP stack we were using at the time. Cloud Services like Amazon Route 53 also expose web-API's.

    But even venerable Bind also supports dynamic Update which is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages. The format and meaning of those messages is specified in RFC 2136.

    Dynamic update is enabled by including an allow-update or an update-policy clause in the zone statement. For more info check the Bind Administrator Reference Manual.

    • 4

  4. When you say "domains need to be configured identically", do you mean they have to hold the same resource records? In that case, wouldn't a DNAME RR for all but one domain be a cleaner solution?

    I cannot beat the trick by @MadHatter of importing the same template file while staying strictly within the scope of your question. I can only offer similar approach for LDAP backend (in my case, used with powerDNS): add the associatedDomain attributes for the relevant SOA and NS records, like so: 

    dn: dc=vanitydomains,ou=DNS,dc=myDIT
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: vanitydomains
associatedDomain: vanitydomain.ORG
associatedDomain: vanitydomain.NET
associatedDomain: vanitydomain.COM
associatedDomain: vanitydomain.INFO
sOARecord: NS1.example.com  sysadmin.example.com 2011100701 28800 1800 2592000 10800
dNameRecord: example.com
nSRecord: NS1.example.com
nSRecord: NS2.example.com
    • -2