DNS
DDNS and TSIGs
DHCP Updates
Our earlier generosity in allowing the DHCP server to inject updates by virtue of its IP address alone is a bit risky. We really should lock it down so that only an authentic DHCP server with an expected key can perform updates.
So, generate a key (as per tsigs) called dhcpupdate, say:
dnssec-keygen -a HMAC-MD5 -b 128 -n USER dhcpupdate
and get the public key:
$ cat Kdhcpupdate.+157+19138.key dhcpupdate. IN KEY 0 3 157 I3qsI7L/nGrxMw7+QGfngw==
dhcpd.conf
Add the public key and statements that that public key should be used when updating the forward and reverse zones:
key dhcupdate { algorithm hmac-md5; secret "I3qsI7L/nGrxMw7+QGfngw=="; }; zone office.soho. { primary 127.0.0.1; // IP address of DNS server for office.soho. key dhcpupdate; } zone 0.168.192.in-addr.arpa. { primary 127.0.0.1; // IP address of DNS server for 0.168.192.in-addr.arpa. key dhcpupdate; }
named.conf
Very much the same:
key dhcpupdate { algorithm hmac-md5; secret "I3qsI7L/nGrxMw7+QGfngw=="; }; zone "office.soho" { type master; file "internal/office.soho.db"; allow-update { key dhcpupdate; }; }; zone "0.168.192.in-addr.arpa" { type master; file "internal/0.168.192.in-addr.arpa.db"; allow-update { key dhcpupdate; }; };
Notice here that we allow anything that has the key to do the updates and are not restricting it to a specific IP address (that of the DHCP server). We could add such a restriction in.
Document Actions