Open Sourcery

As part of the PowerDNS on Rails project, and improving our own DNS infrastructure, I sat out today to configure 4 new DNS servers around the world. This will move a lot of our DNS traffic out of South Africa, while keeping some servers locally on the main networks (Internet Solutions & SAIX).

I rolled out MySQL replication with SSL enabled, you can Google for some good howto’s on the topic and I’ll give some posts below. Basically we have secure replication, and each DNS server is isolated in case of a disaster.

The gotcha then?

The MySQL docs, and some other howto’s indicate you should set the SSL client certificate details in your my.cnf file, under the [client] section. It makes sense, the slave is a client of the master. Appears not so with Gentoo’s mysql-5.0.60-r1 ebuild. It appears even less so with PowerDNS, who rightfully reads the my.cnf file as client.

Cause and effect

PowerDNS now tries to connect to the slave using the SSL details specified in the [client] section of the my.cnf file. This breaks, since you probably never configured your MySQL slave to have PowerDNS connect via SSL.

Secondly, it appears MySQL blatantly ignores the settings when used with replication, and you actually need to specify the client certificates in the CHANGE MASTER TO statement.

Aftermath

Nothing serious, was quick to piece together what was going on. Now I’ll have double digit DNS servers scattered around the globe near pearing point, with SSL encryption for the replication data. Brilliant, that really is resillient DNS!

More reading

• MySQL Manual – Using SSL for secure connections
• MySQL Manual – Setting up replication using SSL
• Be your own CA – Not MySQL specific
• MySQL Replication with SSL
  
• MySQL Replication with SSL

Hope this prevents any future missery for someone else.

It is with great excitement, and sadness that I announce the tag of BIND DLZ on Rails RC1.

We were very motivated as a team to get this product, and the accompanying infrastructure in place so would could continue to enhance and expand our DNS infrastructure. We made two fatal mistakes in trying to achieve this goal:

Understand your existing infrastructure

We used the easy way out and blamed PowerDNS for some of our DNS does, where it ended up being out woes with TUPA, not PowerDNS. Typical I guess, since everyone else uses BIND, we’ll use BIND as well. We never went out to fully understand the problems not the solutions. We just decided to blindly drop an entire stack of services for a new one. Thats bad.

Understand your new infrastructure

Same goes for this. We checked out the BIND-DLZ patches, heard it was accepted into BIND itsef, and got excited. We could run everyone’s dream DNS server with a flexible MySQL 5 backend. Boy, what a mistake. We should have evaluated BIND DLZ first, before building an entire UI for it and then only testing it.

The whole of last week was spent trying to get BIND to behave. It would random crash without warning. I discussed this with the bind-dlz-testers list over at SourceForge, who argued I should downgrade the MySQL client libraries to MySQL 4. For us this was easily possible since the MySQL slaves and DNS servers were different boxes, for others this might not be the case. As part of this excercise I had to learn how to update Gentoo ebuild’s, so I could submit a fix to Gentoo as well for their net-dns/bind-9.5.1-p1 ebuild.

Who’s to blame? Well, us. Not BIND, or the guys who developed the DLZ patches. There are plenty reports out there of issues with the MySQL client libs, but some very clever people have found ingenious ways of working around it. I personally think we have an odd combination of Hardened Gentoo & BIND issues.

What happens next?

Well, we’ll be sticking to PowerDNS for the time being, or maybe permanently. We’ll be planning our DNS offerings out in full, and then start to see how PowerDNS can accomodate us. If, and only if, it cannot, we’ll dive into the alternatives.

All the work is not lost, I’ve basically made a copy (not a fork) of the git repo and modified the entire application to run on the PowerDNS schema. So keep an eye out for PowerDNS on Rails.

I won’t try to juggle branches, the differences are too big. However, I’ll be porting changes implemented in PowerDNS on Rails back to BIND DLZ on Rails. My hope is that someone picks up BIND DLZ on Rails and runs with it further.

Thanks to everyone for their interest in the project.

UPDATE (Jul 22, 2008): I don’t have connectivity at home at the moment, so I’ll roll our production systems over to BIND (and BIND DLZ on Rails) from PowerDNS and Tupa in the morning. Based on the initial feedback from our support team I’ll either address small bugs we overlooked, or tag RC1, whichever comes first.

Just a quick update, we’re closing the gap rapidly on pushing RC1 to Github. Hopefully that happens by the weekend. We’ll also be rolling it into production use to iron out any last remaining issues that didn’t surface from our lab tests/reviews.

We just have one issue to overcome with will_paginate and our custom scoped finders for Zones, then I’ll push to Github.

In preparation (and celebration) I’ve added the project to Ohloh as well for some added metrics and publicity. See the badge below, and on the updated project page.