kirriwa.net » John Clarke » Documenation » Dynamic dns with bind9 and dhcp3

Dynamic dns with bind9 and dhcp3

These instructions assume that your master name server and your dhcp server are running on the same host. They also assume that you have a working bind9 installation, including zone files, and that all you're doing is allowing dynamic updates.

Create an authentication key

[root@dropbear /etc/bind]# dnssec-keygen -a hmac-md5 -b 128 -n user kirriwa Kkirriwa.+157+03578

This creates two files: Kkirriwa.+157+03578.key and Kkirriwa.+157+03578.private. hmac-md5 is a symmetrical algorithm so both contain the same data, but you still need both files. The filename is always for the form K<name>.+157+<digits>; the digits are random.

[root@dropbear /etc/bind]# cat Kkirriwa.+157+03578.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: 8dPhQ8ZYLX5F/wSyjzVqhw==

The data following "Key: " is the secret key hash. This is what you use in bind's and dhcpd's config files.

Configure bind to allow dynamic updates

In /etc/bind/named.conf.local:

// this has to be the same key as is used in dhcpd.conf key kirriwa { algorithm hmac-md5; // this is the secret key hash (see above) secret "8dPhQ8ZYLX5F/wSyjzVqhw=="; }; // This section to allows communication between dhcp and bind // on localhost only controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { kirriwa; }; }; zone "kirriwa.net" { type master; file "db.kirriwa"; // this allows the key "kirriwa" to be used to update this zone allow-update { key kirriwa; }; }; zone "42.168.192.in-addr.arpa" { type master; file "db.192.168.42"; // this allows the key "kirriwa" to be used to update this zone allow-update { key kirriwa; }; };

Configure rndc to use this key

In /etc/bind/rndc.conf:

key kirriwa { algorithm hmac-md5; secret "8dPhQ8ZYLX5F/wSyjzVqhw=="; }; options { default-key "kirriwa"; default-server 127.0.0.1; default-port 953; };

and /etc/bind/rndc.key (this one might not be necessary):

key "rndc-key" { algorithm hmac-md5; secret "8dPhQ8ZYLX5F/wSyjzVqhw=="; };

Restart bind

[root@dropbear /etc/bind]# /etc/init.d/bind9 restart * Stopping domain name service... [ ok ] * Starting domain name service... [ ok ]

Configure dhcpd3 to update dns when issuing leases

In /etc/dhcp3/dhcpd.conf:

# ddns-update-style determines which protocol is used ddns-update-style interim; # this has to be the same key as is used in named.conf key kirriwa { algorithm hmac-md5; secret "8dPhQ8ZYLX5F/wSyjzVqhw=="; }; # this section defines the key to be used in each zone zone kirriwa.net. { primary 127.0.0.1; key kirriwa; } zone 42.168.192.in-addr.arpa. { primary 127.0.0.1; key kirriwa; }

Restart the dhcp server

[root@dropbear /etc/dhcp3]# /etc/init.d/dhcp3-server restart Stopping DHCP server: dhcpd3. Starting DHCP server: dhcpd3.

Now you won't be able to modify your zone files and reload them. Once configured for dynamic updates, bind takes over the zone files. You can still do manual updates, but you need to use nsupdate to do it.

When you stop bind, it will overwrite your zone files with the current zone data, including all updates. If you want to add, delete or change a record, you can stop bind, delete the journal files (if your zone file is "db.kirriwa", the journal is "db.kirriwa.jnl"), edit the zone file, and restart bind. It's quicker, easier and safer to use nsupdate.

Using nsupdate to update your zone

nsupdate will, by default, contact the name server of the zone being updated. It will also figure out the zone from the record being added. Both of these can be overridden if necessary.

If your name server has been configured to only allow updates from 127.0.0.1, then you need to run nsupdate on the name server itself, and tell nsupdate to use the server at 127.0.0.1 instead of the address in the zone.

You also need to tell nsupdate which key to use. For example:

[root@echidna /etc/bind]# nsupdate -k /etc/bind/Kkirriwa.+157+02065.private > server 127.0.0.1 > update add hoopsnake.kirriwa.net 3600 A 192.168.42.99 > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: hoopsnake.kirriwa.net. 3600 IN A 192.168.42.99 > send

Query the new name to check that the update was done:

[root@echidna /etc/bind]# dig hoopsnake.kirriwa.net ; <<>> DiG 9.2.4 <<>> hoopsnake.kirriwa.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42494 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;hoopsnake.kirriwa.net. IN A ;; ANSWER SECTION: hoopsnake.kirriwa.net. 3600 IN A 192.168.42.99 ;; AUTHORITY SECTION: kirriwa.net. 86400 IN NS dropbear.kirriwa.net. kirriwa.net. 86400 IN NS echidna.kirriwa.net. ;; ADDITIONAL SECTION: echidna.kirriwa.net. 86400 IN A 192.168.42.16 dropbear.kirriwa.net. 86400 IN A 192.168.42.1 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 1 17:23:29 2005 ;; MSG SIZE rcvd: 130

Deleting a record is just as easy:

[root@echidna /etc/bind]# nsupdate -k /etc/bind/Kkirriwa.+157+02065.private > server 127.0.0.1 > update delete hoopsnake.kirriwa.net > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: hoopsnake.kirriwa.net. 0 ANY ANY > send
Last updated: Friday, 12-Sep-2014 15:22:43 AEST Webmaster