As part of the PowerDNS on Rails project, and improving our own DNS infrastructure, I sat out today to configure 4 new DNS servers around the world. This will move a lot of our DNS traffic out of South Africa, while keeping some servers locally on the main networks (Internet Solutions & SAIX).
I rolled out MySQL replication with SSL enabled, you can Google for some good howto’s on the topic and I’ll give some posts below. Basically we have secure replication, and each DNS server is isolated in case of a disaster.
The gotcha then?
The MySQL docs, and some other howto’s indicate you should set the SSL client certificate details in your my.cnf file, under the [client] section. It makes sense, the slave is a client of the master. Appears not so with Gentoo’s mysql-5.0.60-r1 ebuild. It appears even less so with PowerDNS, who rightfully reads the my.cnf file as client.
Cause and effect
PowerDNS now tries to connect to the slave using the SSL details specified in the [client] section of the my.cnf file. This breaks, since you probably never configured your MySQL slave to have PowerDNS connect via SSL.
Secondly, it appears MySQL blatantly ignores the settings when used with replication, and you actually need to specify the client certificates in the CHANGE MASTER TO statement.
Aftermath
Nothing serious, was quick to piece together what was going on. Now I’ll have double digit DNS servers scattered around the globe near pearing point, with SSL encryption for the replication data. Brilliant, that really is resillient DNS!
More reading
- MySQL Manual – Using SSL for secure connections
- MySQL Manual – Setting up replication using SSL
- Be your own CA – Not MySQL specific
- MySQL Replication with SSL
- MySQL Replication with SSL
Hope this prevents any future missery for someone else.
