Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / DNS / DDNS and TSIGs

Personal tools

 

DNS

Domain Name Service trickery

DDNS and TSIGs

Dynamic DNS and TSIGs

DHCP Updates

Our earlier generosity in allowing the DHCP server to inject updates by virtue of its IP address alone is a bit risky. We really should lock it down so that only an authentic DHCP server with an expected key can perform updates.

So, generate a key (as per tsigs) called dhcpupdate, say:

dnssec-keygen -a HMAC-MD5 -b 128 -n USER dhcpupdate

and get the public key:

$ cat Kdhcpupdate.+157+19138.key
dhcpupdate. IN KEY 0 3 157 I3qsI7L/nGrxMw7+QGfngw==

dhcpd.conf

Add the public key and statements that that public key should be used when updating the forward and reverse zones:

key dhcupdate {
        algorithm hmac-md5;
        secret "I3qsI7L/nGrxMw7+QGfngw==";
};

zone office.soho. {
        primary 127.0.0.1; // IP address of DNS server for office.soho.
        key dhcpupdate;
}

zone 0.168.192.in-addr.arpa. {
        primary 127.0.0.1; // IP address of DNS server for 0.168.192.in-addr.arpa.
        key dhcpupdate;
}

named.conf

Very much the same:

key dhcpupdate {
        algorithm hmac-md5;
        secret "I3qsI7L/nGrxMw7+QGfngw==";
};

zone "office.soho" {
           type master;
           file "internal/office.soho.db";
           allow-update { key dhcpupdate; };
};

zone "0.168.192.in-addr.arpa" {
           type master;
           file "internal/0.168.192.in-addr.arpa.db";
           allow-update { key dhcpupdate; };
};

Notice here that we allow anything that has the key to do the updates and are not restricting it to a specific IP address (that of the DHCP server). We could add such a restriction in.

Document Actions