I rolled out MySQL replication with SSL enabled, you can Google for some good howto’s on the topic and I’ll give some posts below. Basically we have secure replication, and each DNS server is isolated in case of a disaster.

The gotcha then?

The MySQL docs, and some other howto’s indicate you should set the SSL client certificate details in your my.cnf file, under the [client] section. It makes sense, the slave is a client of the master. Appears not so with Gentoo’s mysql-5.0.60-r1 ebuild. It appears even less so with PowerDNS, who rightfully reads the my.cnf file as client.

Cause and effect

PowerDNS now tries to connect to the slave using the SSL details specified in the [client] section of the my.cnf file. This breaks, since you probably never configured your MySQL slave to have PowerDNS connect via SSL.

Secondly, it appears MySQL blatantly ignores the settings when used with replication, and you actually need to specify the client certificates in the CHANGE MASTER TO statement.

Aftermath

Nothing serious, was quick to piece together what was going on. Now I’ll have double digit DNS servers scattered around the globe near pearing point, with SSL encryption for the replication data. Brilliant, that really is resillient DNS!

More reading

• MySQL Manual – Using SSL for secure connections
• MySQL Manual – Setting up replication using SSL
• Be your own CA – Not MySQL specific
• MySQL Replication with SSL
  
• MySQL Replication with SSL

Hope this prevents any future missery for someone else.

Back to business, this blog was conceptualized to focus on some of the real benefits of using open-source software in business. Not the kind of business that Novell and IBM try to make of open-source, but small businesses seeking to gain an advantage in a very competitive market space.

Today this power shined through dramatically again, through a little piece of software called policyd. Policyd is a greylisting service built for Postfix (the ever so popular MTA) and allows anyone with a mail server to implement greylisting, blacklisting, whitelisting and a host of other features in the fight against spam.

I needed to change the way policyd used the MySQL backend, and in doing so it meant editing C code that I know nothing about. It turn out to be relatively easy when you apply common sense and all the knowledge you’ve gained from coding in interpreted languages all your life. So I need to be able to prefix the tables in the MySQL database used by policyd in order to prevent clashes with other mail-related software sharing the same database. It is scheduled for the next major release version, but I needed this feature today. So after skimming through some of the .c files I realized that this wouldn’t be a too big feat…

It took me an hour, more or less, to complete modify every single SQL statement in the code, add new configuration directives and create a patch that I submitted to the policyd-users list for testing. Currently I’m still testing as well, and everything looks 100%.

This allows me to actually adapt software in an hour to fit my needs. This is the real power of open source. Imagine the time and effort it would take to consult with the developers of proprietary software to get such a minor change done. Even if I push my rates per hour up 10 fold, it would not compare to the cost of getting proprietary software adapted quickly and easily.

And in the true spirit of open-source (blatantly ignoring any licenses) the patch is available on the list archive pages of the policyd-users mailing list at SourceForge. If you need it, grab it here: http://sourceforge.net/mailarchive/forum.php?thread_id=9613438&forum_id=46105