web frontend:
workflow:
log in, see domain list from current group
-> "current group" includes all subgroups? (hairy SQL)
logic:
-> need to pass session ID on every call, otherwise we don't know who we are
-> should check ACLs on every call in case of changing permissions
-> should be able to store all webvar bits in the session
ooo! ooo! what about "clone existing domain"?
export for tinydns: arbitrary record data is binary blob, decomposed by hex octets to octal codes
components:
menu list (actions/sections)
domain list
group tree
user list
<various edit <entity> pages>
time tables:
3600: 1h
7200: 2h
10800: 3h
14400: 4h
21600: 6h
43200: 12h
86400: 1d
172800: 2d
604800: 7d (1w)
valid records:
nb: wildcards are supported for most types. use with extreme caution! (I don't plan on writing
tools that will create them.)
.fqdn:ip:x:ttl:timestamp:lo
-> x.fqdn is a nameserver at ip, SOA sets x.fqdn as master with hostmaster@fqdn as contact
-> if x contains a . that is used as the NS name
(Not much use for us)
Zfqdn:primary:contact:serial:refresh:retry:expire:minttl:recttl:(timestamp:lo)
-> SOA for fqdn
&fqdn:ip:x:ttl:timestamp:lo
-> x.fqdn is a nameserver
-> if x contains a . that is used as the NS name
-> ip may be omitted; A record for fqdn->ip is created otherwise
=fqdn:ip:ttl:timestamp:lo
-> A record and matching PTR record with fqdn and ip
+fqdn:ip:ttl:timestamp:lo
-> A record
^ptr:fqdn:ttl:timestamp:lo
-> PTR record. note ptr must be reverse-IP format ending in .in-addr.arpa
@fqdn:ip:x:dist:ttl:timestamp:lo
-> MX. Dist defaults to 0.
-> ip may be omitted; A record for fqdn->ip is created otherwise
-fqdn:ip:ttl:timestamp:lo
-> ignored
'fqdn:text:ttl:timestamp:lo
-> TXT record
-> octal-encode special characters in text as \nnn
Cfqdn:name:ttl:timestamp:lo
-> CNAME for fqdn pointing to name
:fqdn:n:data:ttl:timestamp:lo
-> Generic data, of type n (n is a 16-bit unsigned integer)
17 is RP
16 is TXT
2 (NS), 5 (CNAME), 6 (SOA), 12 (PTR), 15 (MX) and 252 (AXFR) (WTF?) should not be used
-> data must use octal escapes for : or nondisplayable characters. axfr-get seems to escape all
non-alphanumerics, therefore so will we.
two primary groups of data:
-> forward zones
-> local master zones
-> local slave zones
-> reverse zones
- note that it would be really nice to eliminate duplicated A records (+domain.com:ip:: plus =domain.com:ip::)
operations:
-> import zone data (BIND*, djbdns, vegadns-mysql)
-> allow overwrite of existing SOA
-> export data (BIND*, djbdns)
-> add zone/domain
-> as slave
-> as master
-> delete zone/domain
-> add record to domain
-> remove record from domain
-> change record
-> A record IP
-> CNAME destination
-> MX destination
-> MX priority
-> A <-> CNAME ?
-> flag record as "primary" A record for an IP (means that PTR will set that name as rDNS)
-> force propagation (execute propagation script)
-> User ACL fiddling:
-> take IPDB model, include groups/delegation/etc
"admin" -> nominally full access to anything/everything
"staff" -> general access to all domains, can create users and delegate domains to them
"bulk hoster" -> customer with more than one domain, (can create users and delegate domains to them)?
"user" -> customer with one domain
recommended SOA/TTL/etc times:
refresh 86400 (24h), retry 7200 (2h), expire 2592000 (30d), ttl 345600 (4d)
Qs re: new servers:
-> IPs for cache/authoritative?
flow of data:
user input -> database -> local "zone" data -> rsync/scp to slaves
don't use "domain ID" goop; its only advantage is slightly lower disk use. otherwise it's more
complicated, less traceable thru the DB manually
db structure (current)
domains:
| domain_id | int(11) | | MUL | NULL | auto_increment |
| domain | varchar(100) | | | | |
| group_id | int(11) | YES | | NULL | |
| description | varchar(255) | | | | |
| status | enum('active','inactive') | | | inactive | |
records:
| domain_id | int(11) | | MUL | 0 | |
| record_id | int(11) | | PRI | NULL | auto_increment |
| host | varchar(100) | | | | |
| type | char(1) | YES | | NULL | |
| val | varchar(100) | YES | | NULL | |
| distance | int(4) | YES | | 0 | |
| weight | int(4) | YES | | NULL | | - for SRV only
| port | int(4) | YES | | NULL | | - for SRV only
| ttl | int(11) | | | 86400 | |
| description | varchar(255) | | | | |
default_records is a duplicate of records structurally
log: (not sure how useful this really is, in this form...)
| domain_id | int(11) | | | 0 | |
| user_id | int(11) | | | 0 | |
| group_id | int(11) | | | 0 | |
| email | varchar(60) | | | | |
| name | varchar(60) | | | | |
| entry | varchar(200) | | | | |
| time | int(11) | | | 0 | |
db structure (proposed)
domains:
domain char(128) pk, indexed
group char(32) fk, indexed?
status enum?
masterns char(64)
email char(128)
serial long int (needs 2^32 at least)
refresh long int needs semi-sane default
retry long int needs semi-sane default
expire long int needs semi-sane default
minttl long int needs semi-sane default
ctime timestamp
mtime timestamp
records:
recid serial
domain char(128) fk, indexed?
host char(128) pk, indexed
type enum?
val char(256) to allow for 255-char TXT records
extra char(10) 10 should be enough to express any needs for MX, SRV, or anything else...right?
ttl long int
ctime timestamp
mtime timestamp
default records to be either database-coded as default values or coded in er, code.
-> hrm.
database-level defaults are "recommended practice" according to the cricket book
code-level defaults may be hardcoded (easy) or loaded from a config file (harder, but cleaner)
all must be overrideable by a database-table-stored "local policy defaults" widget
add domain:
-> need domain name
-> IP/"company default" radio button pair, with some Javascript to change defaults for:
-> radio buttons with sane defaults for standard hosts (www/mail/ftp/smtp)
-> www CNAME @
-> FTP CNAME @
-> mail CNAME mail.company.com
-> smtp CNAME smtp.company.com
-> MX defaults to <mxlist>
+----------------------------------------------------------------+
| Domain: _________________________________ |
| o Company hosting o Slave zone o Custom settings |
+----------------------------------------------------------------+
add_domain($domain,$class)
update_domain($domain,$group,$status,[$contact,$primary,$serial,$ttl,$refresh,$retry,$expire,$minttl])
delete_domain($domain)
lock_domain($domain) -hm.. lock/unlock may be admin-level "don't touch!" flags vs "active/inactive" flags
unlock_domain($domain)
add_record($domain,$host,$type,$value,$extra,$ttl)
update_record($id,$host,$type,$val,$extra,$ttl)
delete_record($id)
export_data($domain,$format) ->takes special <ALL> arg for all zones. $format -> BIND or djb (implement DJB first)
update_nameservers()
FFFF:FFFF:FFFF:FFFF : FFFF:FFFF:FFFF:FFFF
we get:
<x>:<x>:FFFF:FFFF
we assign:
<x>:<x>:<y>:<a> (/64, nominally equivalent to current /32, logically)
<x>:<x>:<y>:<b>FF (/56, bitwise equivalent to current /24 relative to /32)
<x>:<x>:<y>:FFFF (/48, bitwise equivalent to current /16 relative to /24)
Allocations SHOULD leave space for growth
SELECT u.user_id, u.email, u.firstname, u.lastname, u.type, g.group_name
"FROM users u ".
"INNER JOIN groups g ON u.group_id=g.group_id ".
($offset eq 'all' ? '' : " LIMIT $perpage OFFSET ".$offset*$perpage)
SELECT g.group_id, g.group_name, g2.group_name, g.children, count(distinct(u.email)), count(distinct(d.domain))
FROM groups g
INNER JOIN groups g2 ON g2.group_id=g.parent_group_id
LEFT OUTER JOIN users u ON u.group_id=g.group_id
LEFT OUTER JOIN domains d ON d.group_id=g.group_id
GROUP BY g.group_id, g.group_name, g2.group_name, g.children
record_id | group_id | host | type | val | distance | weight | port | ttl | description
-----------+----------+----------------------------------------+------+-------------------------+----------+--------+------+-------+-------------
1 | 1 | ns1.example.com:hostmaster.DOMAIN | 6 | 10800:3600:604800:10800 | 0 | 0 | 0 | 86400 |
25 | 1 | DOMAIN | 1 | 10.2.3.4 | 0 | 0 | 0 | 7200 |
2 | 1 | DOMAIN | 15 | mx1.example.com | 10 | 0 | 0 | 7200 |
26 | 1 | DOMAIN | 15 | mx2.example.com | 10 | 0 | 0 | 7200 |
27 | 1 | DOMAIN | 2 | ns2.example.com | 0 | 0 | 0 | 7200 |
22 | 1 | DOMAIN | 2 | ns1.example.com | 0 | 0 | 0 | 7200 |
31 | 1 | www.DOMAIN | 5 | DOMAIN | 0 | 0 | 0 | 10800 |
32 | 1 | DOMAIN | 16 | "v=spf1 a mx -all" | 0 | 0 | 0 | 10800 |
17 | 1 | DOMAIN | 33 | srv.example.com | 15 | 2 | 325 | 7200 |
serial in domains table
'manual' - date+inc
'manual' - monotone
'auto' - generated (TinyDNS only; uses auto(date) for other exports)
add enable/disable for individual records
log_id? domain_id? group_id user_id action detail timestamp
LOG_EMERG
A panic condition.
LOG_ALERT
A condition that should be corrected immediately, such as a corrupted system database.
LOG_CRIT
Critical conditions, such as hard device errors.
LOG_ERR
Errors.
LOG_WARNING
Warning messages.
LOG_NOTICE
Conditions that are not error conditions, but that may require special handling.
LOG_INFO
Informational messages.
LOG_DEBUG
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
another web-UI for DNS record maintenance:
http://www.henriknordstrom.net/code/webdns/
sub-octet delegation for v4 nets:
p 216-218 in cricket^Wgrasshopper book
Also see new draft spec, applies to both v4 and v6:
http://tools.ietf.org/html/draft-gersch-dnsop-revdns-cidr-01
new custom types "Forward delegation" and "Reverse delegation"?
- forward creates NS records in parent for <sub>.parent
- reverse creates NS records plus CNAMEs for sub-octet zones
-> would solve the conundrum of what to do with the unsightly CNAME
records presented in the UI to indicate sub-octet zone delegation
BIND reference for views/locations/split-horizon
https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html
HTML calendar widget?
http://www.cssflow.com/snippets/tag/date-picker (paid)