BIND9 catalog zones - or better securing slaves from masters


Does Webmin support BIND9 catalog zones? I know about using Webmin Servers Index and then Cluster Slave Servers in BIND module in order to have a master->slave DNS setup, but I don’t feel confortable with it as although I could grant minimal rights to the Webmin user on the slave used for the master->slave connection, there is too much information visible of the slave from master (dashboard view with slave summary, access to other zone files than of the master’s, etc.).
In my setup I intend to have have several clients who will have Virtualmin master VMs and I would allow them to use my nameservers (slaves for them) in an automated way, but by using the Webmin Server Index this means that all my clients would have access to all zones in the system as the slaves would be shared. One could imagine what an attacker gaining access to one of the master VMs could do with access to all my BIND nameservers…

I recently found out about the BIND9 catalog zone so it seems like a better fit, I could imagine setting up a catalog for each master VM and allow my slaves to transfer and handle that. A hacked master VM couldn’t do anything to zones not belonging to the VM I guess… But this means that when adding/removing a domain on a master VM, virtualmin needs to update the catalog.

Is this supported or possible in any way?

Or is there a way to better secure this functionality via the Webmin Servers Index / BIND Cluser Servers?

I’ve never used catalog zones, and Webmin does not (yet) have explicit support for them. That doesn’t mean you can’t use them. I think it depends on what needs to happen to make them work.

You can control the zone file contents completely in Server Templates, so if it’s just a matter of including some additional info in the zone file, you can do that without explicit support.

So, what needs to happen to make a new zone work in a deployment using catalog zones? I mean, what goes in the zone file?

A catalog zone is a single zone per server. It gets handled by BIND9 mostly like a regular zone (list of records, same transfer mechanisms), but it must be maintained as a list of zones to be transferred/updated to the slave.

You can see an example here, it’s not complicated as it is basically a list of zones but with a hash computed in a certain way:

From what I understood so far, unfortunately, this isn’t just some additional info into a zone file in Server Templates. It’s a list that needs to be maintained whenever Virtualmin adds/removes zones on the master BIND9.

So this hash is computed every time the zone is updated?

I think this is probably going to need some development, and one of us would need to understand it. @Jamie likes DNS stuff, so maybe he’ll have an interest in it. But, I wouldn’t want to make any promises…not sure how complicated adding support in Webmin will be.

The hash is a function of the zone name so computed only when added, basically a SHA1 of the name in wire-format:

1 Like

Interesting, I hadn’t heard of catalog zones before! We don’t support this currently, but I can see why it would be useful. I may look into it after finishing some other DNS-related features in progress…

Sounds great, thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.