Authentication for DNS updates
Transaction signatures (TSIG) can be used to authenticate the Dynamic DNS updates, The only supported encryption algorithm for TSIG is HMAC-MD5.
The TSIG public key is stored in a KEY record in a zone served by the name server, the TSIG private key is used by nsupdate to get authenticated.
$mkdir /var/named/keys; cd /var/named/keys$dnssec-keygen -a HMAC-MD5 -b 256 -n USER server1-ddns-keyKserver1-ddns-key.+157+00575.keyKserver1-ddns-key.+157+00575.private#Since HMAC-MD5 is symmetric encryption algorithm, the “key string” in private key and public key are equivalent, the public key can be deleted.$ rm Kserver1-ddns-key.+157+00575.key$ cat Kserver1-ddns-key.+157+00575.privatePrivate-key-format: v1.2Algorithm: 157 (HMAC_MD5)Key: x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=#Create a BIND configuration file to be included in /etc/named.conf (it is optional, the statements can be specified in /etc/named.conf directly)$cat keys.conf#the key name is arbitrary , but must be the same name specified in dnssec-keygen command linekey server1-ddns-key {algorithm HMAC-MD5;secret "x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=";};$cat /etc/named.confinclude "/var/named/keys/keys.conf";...#zone example.com allow the key to do updatezone "example.com" IN {type master;file "example.zone";allow-update { key server1-ddns-key ; };};
The journal file for dynamic Update
All changes made to a zone using dynamic update are stored in the zone's journal file.
The name of the journal file is formed by appending the extension .jnl to the name of the corresponding zone file.
The updated entries are saved in .jnl file, the entries are merged to the zone file on the following conditions
1.Every 15 minutes
2."rndc freeze zone" command is issued
3.Service restart
However, the updated record in memory become effective immediately without waiting to be merged to the zone file.
In order for named process to write the journal file, the zone directory /var/named/ must be writable by named user or group
$chown root:named /var/named; chmod g+rw /var/named
nsupdate sample commands
Suspend dynamic DNS update$nsupdate -k Kserver1-ddns-key.+157+00575.private> server localhost> zone example.com> update add www1.example.com 86400 A 172.16.1.11> send
#sometimes it is necessary to update the zone file manually, follow this order to edit zone file manually$rndc freeze example.com$vi example.com.zone$rndc thaw example.com#if your zone exists in multiple views, you may get this error.$rndc freeze example.comrndc: 'freeze' failed: not found#You have to specify class name (IN) and the view name in full.$rndc freeze example.com IN myview-name
A wrapper script to make DNS update even easier
$./dnscmd.sh add example.com www5 172.16.1.11==> Checking result: www5.example.com. ...Using domain server:Name: localhostAddress: 127.0.0.1#53Aliases:www5.example.com has address 172.16.1.11#script content$cat dnscmd.sh#!/bin/kshSERVER='localhost'TTL='86400'KEY='/var/named/keys/server1-ddns-key.key'cmd=$1zone=$2node=$3data=$4if [[ $# -ne 4 ]]; thencat <<ENDUsage $0 add|delete zone-name node-name dataFor example:- Add A record: $0 add example.com web 192.168.100.34- Add PTR record: $0 add 100.168.192.in-addr.arpa 34 web.example.com.- Delete record: replace add with delete*** It only supports A and PTR record, for other records,edit zone file manually: rndc free zone-name; vi zonefile; rndc thaw zone-nameENDexitfiif [[ "$node" = {1,3}(\d) ]]; thenclass='PTR'elseclass='A'fitmpfile=$(mktemp)cat >$tmpfile <<ENDserver $SERVERupdate $cmd ${node}.${zone} $TTL $class $datasendENDnsupdate -k $KEY -v $tmpfilerm -f $tmpfilerecord=${node}.${zone}[[ ${zone} = *in-addr.arpa ]] && record=$(echo ${node}.${zone} | awk -F"." '{ print $4"."$3"."$2"."$1} ' )echo -e "\n ==> Checking result: ${record}. ..."host $record $SERVER
Posts
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.