Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-04-15T09:14:34Zhttps://gitlab.com/sympl.io/sympl/-/issues/182Symbiosis: symbiosis-firewall 99-reject file is blank by default2019-04-15T09:14:34ZPaul CammishSymbiosis: symbiosis-firewall 99-reject file is blank by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we a...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we add an IP to this 99-reject file, connections will only be blocked from this IP and allowed from everywhere else, which isn't usually what we want to happen.
It would be safer if the 99-reject file contained `0.0.0.0/0` by default to avoid allowing more through the firewall than what was intended. This could still be removed from the file if needed.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/175Symbiosis: Some thoughts about Symbiosis firewall management2019-04-17T20:20:11ZPaul CammishSymbiosis: Some thoughts about Symbiosis firewall managementImported from https://www.github.com/BytemarkHosting/symbiosis/issues/136
The Symbiosis firewall seems to work well, but I have issues with it, which may be caused by my lack of understanding of the nuances of ruby, I guess. Mostly I w...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/136
The Symbiosis firewall seems to work well, but I have issues with it, which may be caused by my lack of understanding of the nuances of ruby, I guess. Mostly I want to stop the bots that relentlessly look for logins and passwords, while at present I think that Exim is doing a reasonable job of keeping spam out.
This attempts to explain my understanding of what is happening, so please bear with me - and maybe you wlll see if I have it wrong.
**What's there**
I am interested in improving the action of /usr/sbin/symbiosis-firewall-blacklist which runs every 15 minutes (or so) and is responsible for creating and deleting files in /etc/symbiosis/firewall/blacklist.d. The files are named for IP addresses (and have .auto) appended to them when created by the script. IP files can be created here to put into the firewall, and are ignored by the system. The files contain port numbers, 'all' or be empty (which implies 'all') - the port numbers are loaded into iptables and block attempts to connect from the named IP to the appropriate port.
The symbiosis-firewall-blacklist script has two distinct phases:
1) It creates a list of candidate IPs (and ports) using the files in /etc/symbiosis/firewall/patterns.d to scan log files. Once it has a list of candidates it creates the files in blacklist.d.
2) It then looks for files to delete.
So let's look at phase 1:
Each file in the patterns.d directory contains the name of a log file. This file is scanned looking for a regular expression match to find likely candidates for blocking. The script uses an sqlite3 database (in /var/lib/symbiosis/firewall-blacklist-logtail.db) to remember where it was in the file the last time it looked at that file. (I suspect that this is the cause of some people's uncertainty about this system. If you add a pattern which you've found in a log file, then it won't be activated until the problem happens again and re-appears in the log file so it can be seen.) However doing this makes sense for efficiency reasons.
The script uses pattern.rb to scan the log file. When matches are found it creates a two dimensional hash
`results[ip][port] = hit (actual code is results[ip.to_s][port] += 1)`
so for each port in the pattern.d file, the ip is awarded a single hit. My guess is that this method was used because different pattern files may locate the same bad IP and may also repeat ports. However it means that total hit counts are multiplied by the number of ports in the matched pattern file.
So it's found some lines in a logfile matching the regular expression. Now it wants to decide if any of these entries are worthy of being blacklisted.
This happens if any of the hit counts are greater than 20 (by default), or the value supplied by the -a (--block-after). While it's doing this, it's summing all the hits for the ip and writes them to another sqlite3 database (/var/lib/symbiosis/firewall-blacklist-count.db) along with the IP and a timestamp.
It now looks to see if this IP has been really bad, and is worth blocking completely. It creates a sum of the hits recorded for this IP in the last 24 hours and if this is over 100 (default) or the value determined from -b (--block-all-after) then this IP is set up to be blocked completely for all ports.
So now if it has some candidates, it will create files with the ip address as the names and attach .auto.
Phase 2 is reasonably simple. It looks for the modification time of the file, and if it's expired it's removed.
**Thoughts**
The Phase 1 algorithm really needs improving and I would say that this is really an urgently needed change. In many cases the system is not reactive enough - and I see that people are using other systems because it's not good enough.
When looking for candidates, the system only 'knows' about the matches it has found in the current slice of the log file that it's inspecting for that pass. For my site, this is typically 3 or 6. My system is not busy so not a lot happens every 15 minutes. The window for selecting candidates is much too small - and is essentially avoidable by delaying attacks.
Second, the system completely ignores the history that it has carefully stored away in the sqlite3 file. Mostly I find that these robots come back from the same IP address often several days later. The system should make much better use of the history that it has gathered.
Third, the current system will theoretically generate port specific matches in iptables. But it's not clear how often this will happen, and frankly I don't care, I'd be happy to completely block every bad site from everything. As an aside it would be good if the code making the firewall understood about 'multiport dports' to make less lines in the filters.
The current selection code is:
```
results.each do |ip, ports|
#
# tot up on a per-ip basis
#
total_for_ip = 0
ports.each do |port, hits|
total_for_ip += hits
blacklist[ip] << port if hits > @block_after
end
#
# Record our count
#
@count_db.set_count_for(ip, total_for_ip, timestamp)
#
# Get the hits for the last 24 hours
#
total_for_ip = @count_db.get_count_for(ip, timestamp - 86400)
#
# If an IP has exceeded the number of matches, block it from all ports.
#
if total_for_ip > @block_all_after
blacklist[ip] = %w(all)
end
end
```
I am no ruby programmer - so this is a syntactic guess but maybe this will be an improvement - without changing patterns.rb.
If you want to correct the syntax for me please do.
```
results.each do |ip, ports|
#
# get history for this ip for the last day
# and this ought to be a parameter to the script
# because I'd like to change this
# (@block_period defaults to 1 I think)
#
historysecs = timestamp - 3600*@block_period
past_for_ip = @count_db.get_count_for(ip, historysecs)
#
# tot up on a per-ip basis
#
total_for_ip = 0
ports.each do |port, hits|
total_for_ip += hits
# notice change here to include history
blacklist[ip] << port if hits + past_for_ip > @block_after
end
#
# Record our count
#
@count_db.set_count_for(ip, total_for_ip, timestamp)
#
# Get the hits for the some period, which can also be the epoch
# and again should be a parameter - block_all_period can perhap default to 3
#
historysecs = 0
if @block_all_period > 0
historysecs = timestamp - 3600*@block_all_period
end
total_for_ip = @count_db.get_count_for(ip, historysecs)
#
# If an IP has exceeded the number of matches, block it from all ports.
#
if total_for_ip > @block_all_after
blacklist[ip] = %w(all)
end
end
```
So this:
a) includes the history for some period when working out the bad guys
b) includes the history for some longer period when evaluating really bad guys
c) Now has an extra lookup for each ip,
This may cause problems if this hits ip addresses that should be in use. There are no tools for removing good guys from the history file. Maybe this can be supplied as a small tool. Perhaps when an address is placed in the whitelist directory, the address should be removed from the blacklist database if it's there.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/173Symbiosis: Simple database creator2020-09-15T21:31:03ZPaul CammishSymbiosis: Simple database creatorImported from https://www.github.com/BytemarkHosting/symbiosis/issues/46
A typical usage scenario for Symbiosis is a user creating a new site, then uploading a PHP webapp and expecting it to work.
The problem is, once they've uploaded ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/46
A typical usage scenario for Symbiosis is a user creating a new site, then uploading a PHP webapp and expecting it to work.
The problem is, once they've uploaded the PHP content, they need to create a MySQL database, which can only currently be done over the command-line or PHPMyadmin.
An interesting feature would allow a user to create a "database" file in the /srv/domain.tld/config directory, containing a user and password. Symbiosis would detect the presence of this file, and if a database named after the domain didn't already exist, would create a new database, and GRANT the right permissions to it allowing local access with the username/password in the file. The user could then install say, Wordpress with *only* SFTP.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/172Symbiosis: Run-parts when SSL certificates are updated2019-06-20T17:51:21ZPaul CammishSymbiosis: Run-parts when SSL certificates are updatedImported from https://www.github.com/BytemarkHosting/symbiosis/issues/62
Similar to other tools for Lets Encrypt, could Symbiosis do a run-parts on a certain directory if it exists (e.g /etc/symbiosis/ssl-update.d) to allow other servic...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/62
Similar to other tools for Lets Encrypt, could Symbiosis do a run-parts on a certain directory if it exists (e.g /etc/symbiosis/ssl-update.d) to allow other services to act on an automated SSL renewal?
I'm thinking this could hook into HAProxy, but could be useful for mail and stuff too.
Ideally environment variables would be passed to the hook in the same style as https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#hooksSympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/169Symbiosis: Replace the default site .html file with some Symbiosis documentation2019-06-20T13:22:59ZPaul CammishSymbiosis: Replace the default site .html file with some Symbiosis documentationImported from https://www.github.com/BytemarkHosting/symbiosis/issues/63
@jamielinux's good idea;
Replace:
![screen_shot_2017-05-31_at_16 33 05](https://user-images.githubusercontent.com/317667/27084986-c99e5000-5045-11e7-9256-bd9f52c...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/63
@jamielinux's good idea;
Replace:
![screen_shot_2017-05-31_at_16 33 05](https://user-images.githubusercontent.com/317667/27084986-c99e5000-5045-11e7-9256-bd9f52cab638.png)
With help documentation in some form. Maybe full, maybe single page
Would a high level view of the steps required to setup a standard website work?Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/165Symbiosis: Publish CAA (DNS TXT) records to improve security2019-04-14T20:59:45ZPaul CammishSymbiosis: Publish CAA (DNS TXT) records to improve securityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restr...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. It prevents bad people obtaining certificates from rogue or sloppy certification authorities.
It's a simple DNS text record to say, for example:
`example.org. CAA 128 issue "letsencrypt.org"`
At minimum, we could publish this record for a domain that's protected by a LetsEncrypt certificate.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forumFuture Planshttps://gitlab.com/sympl.io/sympl/-/issues/163Symbiosis: PHP 7.1/7.2 support2020-09-15T21:33:38ZPaul CammishSymbiosis: PHP 7.1/7.2 supportImported from https://www.github.com/BytemarkHosting/symbiosis/issues/128
(https://forum.bytemark.co.uk/t/symbiosis-stretch-update/2848/30)
PHP7.0's EOL is 3/12/18, which is a little short, given that PHP7.2 is only 'officially' availa...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/128
(https://forum.bytemark.co.uk/t/symbiosis-stretch-update/2848/30)
PHP7.0's EOL is 3/12/18, which is a little short, given that PHP7.2 is only 'officially' available in Buster, and PHP7.1 in Sid.
We already run 7.1 and 7.2 in containers (Systemd-nspawn, Docker) for some customers using Symbiosis, but the setup procedure is mostly manual.
Ideally we'd want to be able to create a file e.g. `/srv/domain.com/config/php` containing `7.1<` or `7.2` to automatically use the appropriate Apache template for that domain.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/157Symbiosis: Mysql user of admin with admin password for mysql access2019-06-20T13:21:36ZPaul CammishSymbiosis: Mysql user of admin with admin password for mysql accessImported from https://www.github.com/BytemarkHosting/symbiosis/issues/61
Just had a customer who processed a migration from symb6 to symb8 and managed to overwrite the mysql db in the process.
Wondered if there might be some traction i...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/61
Just had a customer who processed a migration from symb6 to symb8 and managed to overwrite the mysql db in the process.
Wondered if there might be some traction in having an admin user with the admin password as a mysql user that we can control access for a little more, no access to the mysql folder for example...
Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/153Symbiosis: Migration assistant2019-04-14T20:37:18ZPaul CammishSymbiosis: Migration assistantImported from https://www.github.com/BytemarkHosting/symbiosis/issues/60
We spend a lot of time helping customers with migrations, or advising that they migrate to avoid a dist-upgrade.
It would be nice if Symbiosis Stretch included a ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/60
We spend a lot of time helping customers with migrations, or advising that they migrate to avoid a dist-upgrade.
It would be nice if Symbiosis Stretch included a script to migrate all domains from Symbiosis Jessie (and maybe Wheezy). Something based on this migration guide would be useful. https://forum.bytemark.co.uk/t/the-symbiosis-migration-guide/2172
It should do as much of that as possible, and carry suitable health warnings, perhaps.
Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/147Symbiosis: It's too easy to break Exim by changing ssl certificate ownership.2019-06-20T13:19:51ZPaul CammishSymbiosis: It's too easy to break Exim by changing ssl certificate ownership.Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/47
Pretty much everything in /srv/ is owned by admin:admin, so it's tempting to run something like "chown -R admin:admin /srv". The problem is that Exim certificates ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/47
Pretty much everything in /srv/ is owned by admin:admin, so it's tempting to run something like "chown -R admin:admin /srv". The problem is that Exim certificates lie in /srv/<HOSTNAME>/config/ssl/sets and Debian-exim (the user that runs Exim) is not a member of the admin group, so this is an awkward fact to learn and remember.
It might be better if the certificates were managed in /etc/ssl - from where they are currently, and tortuously symlinked.
Alternatively, if issue 38 https://gitlab.bytemark.co.uk/open-source/symbiosis/issues/38 is implemented, then I've made a suggestion for managing these certs.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/144Symbiosis: If an SSL cert is automatically disabled, Symbiosis won't use auto...2019-07-17T15:53:24ZPaul CammishSymbiosis: If an SSL cert is automatically disabled, Symbiosis won't use automatically it again if it becomes validImported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` an...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` and moving the `config/ssl directory` out of the way, `symbiosis-httpd-configure` will disable the specific SSL cert for the site, swapping it to self-signed.
This is fine, and to be expected, however it does this by removing the relevant symlink from `/etc/apache2/sites-enabled`, which has the effect of flagging the site as "manually disabled", dropping it back to mass hosting, if configured.
Restoring the SSL configuration (removing `ssl-provider` and restoring `config/ssl`) then re-running `symbiosis-httpd-configure --verbose` you get:
```
# symbiosis-httpd-configure --verbose
[ . . . ]
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
[ . . . ]
Configuration: under100words.com.conf
Configuration is up-to date.
!! Configuration has been manually disabled.
```
So, it's still thinking that the site was manually disabled, so even if it managed to create the individual config as there are valid SSL certs, it's not being symlinked.
A manual workaround is to run `symbiosis-httpd-configure` for the specific site:
```
# symbiosis-httpd-configure --verbose under100words.com
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: under100words.com.conf
Configuration is up-to date.
Enabling configuration.
Reloading Apache
```
This instead enables the config anyway, and things work normally again.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/143Symbiosis: I want SSL only without HSTS2020-07-11T06:36:30ZPaul CammishSymbiosis: I want SSL only without HSTSImported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certifi...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders
So, maybe I could make a file `config/ssl-only-no-sts` to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/142Symbiosis: Frequently used packages aren't installed by default2019-06-20T13:42:39ZPaul CammishSymbiosis: Frequently used packages aren't installed by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/120
There are a number of packages which are typically installed manually on a newly created Symbiosis server as a first priority, since they're used so often. The fo...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/120
There are a number of packages which are typically installed manually on a newly created Symbiosis server as a first priority, since they're used so often. The following packages are sure bets to be installed in most cases:
`curl, iotop, less, lsof, psmisc, rsync, screen, smartmontools, telnet, vim, wget, htop, mtr-tiny, xfsprogs, tree, dnsutils`
It would be useful if we could add these packages as a Symbiosis dependency to ensure they're installed automatically.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/139Symbiosis: Event bus for configuration changes2019-04-14T20:18:28ZPaul CammishSymbiosis: Event bus for configuration changesImported from https://www.github.com/BytemarkHosting/symbiosis/issues/45
A common problem in developing Symbiosis functionality is the difficulty in detecting configuration changes. Currently Symbiosis is configured using SFTP, but has ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/45
A common problem in developing Symbiosis functionality is the difficulty in detecting configuration changes. Currently Symbiosis is configured using SFTP, but has no hooks into that system, so it's always going to be somewhat hobbled.
It would be good to have some sort of event bus to detect configuration changes, and act upon them at the time. This removes the need for polling which is wasteful and not very timely in some cases. Using a more event based approach would make configuration changes more or less instant, and maybe more reliable too.
One way of achieving this would be to have hooks into the SFTP subsystem. OpenSSH doesn't seem to have them, others do, ie https://www.npmjs.com/package/ssh
Whilst not advocating the addition of node into the stack, it would be good to have this functionality somehow, so it's open for debate.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/127Symbiosis: admin' user should be added to the 'www-data' group for compatibility2019-06-20T13:21:53ZPaul CammishSymbiosis: admin' user should be added to the 'www-data' group for compatibilityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/115
In quite a few cases where web apps update themselves, such as WordPress, the updaters check that specific files and directories are owned by the user Apache is r...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/115
In quite a few cases where web apps update themselves, such as WordPress, the updaters check that specific files and directories are owned by the user Apache is running as, and fail if they don't match.
By adding the `admin` user to the `www-data` group, and setting ownership to be www-data:www-data, both the web app and Symbiosis FTP users can update files and directories as needed without stepping on each others toes too much.
Note that this will often require the group to be set to www-data also (and sometimes rw permissions set for the group), but this prevents web app installs from arguing with the admin permissions, and allows the admin user (ie: the user used with FTP) to overwrite files as needed.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/123Symbiosis: Ability to add an email attachment file extension black/whitelist2019-04-17T20:27:02ZPaul CammishSymbiosis: Ability to add an email attachment file extension black/whitelistImported from https://www.github.com/BytemarkHosting/symbiosis/issues/41
Would be nice to be able to block certain attachments to email, in addition to the usual antivirus scanningImported from https://www.github.com/BytemarkHosting/symbiosis/issues/41
Would be nice to be able to block certain attachments to email, in addition to the usual antivirus scanningFuture Planshttps://gitlab.com/sympl.io/sympl/-/issues/122Symbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they ar...2019-06-06T11:08:42ZPaul CammishSymbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they are removed from /srv/*/config/ipImported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-adde...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-added.
This is likely as it can't be determined that Symbiosis added the IP, so we should probably either:
1. Make it clear in the docs that removing an IP will need a reboot or manual change via `ip`.
2. Automatically remove any IPs not set somewhere in `/srv/*/config/ip` when running symbiosis-configure-ips.
3. Provide a `--force` switch (like the other Symbiosis apps) to make the config match what symbiosis-configure-ips is trying to do.
Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/20octoDNS as interface to DNS providers2021-09-05T00:36:13ZPaul CammishoctoDNS as interface to DNS providersoctoDNS has support for a number of providers, so it may be worth looking at integrating it.
https://github.com/github/octodns#supported-providersoctoDNS has support for a number of providers, so it may be worth looking at integrating it.
https://github.com/github/octodns#supported-providershttps://gitlab.com/sympl.io/sympl/-/issues/15monit requires outside library which is not packaged2019-06-07T11:00:55ZPaul Cammishmonit requires outside library which is not packagedThe source repo is included in the repo here, but this is sub-optimal.
This should probably be replaced with something like https://mmonit.com/monit/, or simply replaced with a more maintainable alternative, as it's not that complex.The source repo is included in the repo here, but this is sub-optimal.
This should probably be replaced with something like https://mmonit.com/monit/, or simply replaced with a more maintainable alternative, as it's not that complex.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/12Add local DNS server with ability to allow AXFR to slaves2020-04-23T19:38:17ZPaul CammishAdd local DNS server with ability to allow AXFR to slavesFor sympl to work standalone, it needs an integrated DNS server. The should be automatically updated by the various DNS related operations, and provide for AXFR requests to be allowed to enable external servers to provide DNS for domains...For sympl to work standalone, it needs an integrated DNS server. The should be automatically updated by the various DNS related operations, and provide for AXFR requests to be allowed to enable external servers to provide DNS for domains hosted within sympl
Patrick Cherry has implemented something already, which might be a useful starting point:
https://gitlab.com/patch0/djbdns/wikis/homeFuture Plans