«
»

When hosts have a dynamic IP, it’s very convenient to have its DNS-name follow that dynamic IP. There are several services on the net that do this. However, the regular DNS already provides this feature. The nsupdate tool (comes with BIND) allows you to send an update to the DNS servers. By default, a DNS server does not allow updates for security reasons.

To keep the whole world from updating your zone, there are several possibilities to restrict who can update what. The easiest to setup is an IP restriction: specify from which IPs updates are to be accepted. In my setup, however, I’d like the host to update its own record. Since the host’s IP is dynamic, this is not an option.

The other way to limit updates is by using cryptography: only people knowing the secret can send updates. This comes in two variants: TSIG and SIG(0). This site goes more into the details, but here are the basics.

$ dnssec-keygen -a RSASHA1 -b 768 -k -n HOST keyid.example.net.

Note that the keyid should be inside your zone! This generates two files, a .key and a .private file. The key should be added to the zone; the private file should be kept secret (obviously).

Next, configure what the key can do inside the named.conf:

zone "example.net" {
    type master;
    file "pri/example.net";
    update-policy {
        grant keyid.example.net. name specific.example.net. A;
        grant otherkeyid.example.net. subdomain example.net. ANY;
        grant * self * A TXT;  // allow any key to update its own A and TXT records
    };
};

You can test the update with:

$ nsupdate -k /path/to/private/key/Kkeyid.example.net.+005+29297.key
> server ns.example.net
> update add test.example.net. 300 A 127.0.0.1
> send
> quit
$ dig @ns.example.net -t A test.example.net

Don’t try to check the raw zone-file. The new record will not be in there (yet). If you really want the zone-file to be updated (e.g. if you want to edit it), you need to (temporarily) disable dynamic updates:

# rndc freeze example.net           # disable updates
# vim /etc/bind/pri/example.net     # remember to update the serial
# rndc reload example.net
# rndc thaw example.net             # enable updates

Since Bind now receives updates through DNS, be sure to check the permissions on your zone-files: bind should be allowed to write to them!

This entry was posted by Niobos on 2009-04-27 at 17:54 under Networking & Security. Tagged . You can skip to the end and leave a response. Pinging is currently not allowed. Follow any responses to this entry through the RSS 2.0 feed.

One Comment

  1. Long-term Memory » Blog Archive » DNSSEC – Implementation says:

    […] also want to note that it’s perfectly possible to combine DNSSEC with dynamic updates. The only drawback is that the keys (at least the ZSK) must be available to the running BIND […]

    2010-01-24, 14:15