February 7, 2008
Straightforward DDNS Configuration On Linux
I've just been playing around with DDNS on Fedora again. I do this every few months on a new box so this post is as much an aide mémoire for myself as much as anything, however, others might find it useful. The DHCP DNS interaction on linux seems to be quite poorly Howto'd despite best intentions.
I'm working with an FC8 box. Here's the highlights (I mean, the description is deliberately terse) of the configuration that you need to make Secure DDNS work:
Make An Update Key
Fedora comes with rndc.key supplied. I suggest not using a well known generic key. Generate your own like so:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST somehost.somedomain.com
This will create your public and private keys. Copy the .key into the update key file you want to use (I use update.key)
The generation process may appear to hang due to a lack of entropy - so if this is the case, open a window and start typing the World's Greatest Novel in another window on the server.
The Key File Format
It should look something like this:
key somehost.somedomain.com. {
algorithm HMAC-MD5;
secret "Nd2+awholelotofseeminglyrandomstuff /moreseeeminglyrandomstuff==";
};
SELinux and Keyfiles
If you're using SELinux, the context of the key file should, for dhcpd, should be:
[etc]# ls -Z update.key
-rw-r----- root named system_u:object_r:dnssec_t:s0 update.key
SELinux will complain if it's not set to this - so use chcon to fix it if necessary.
dhcpd.conf
Important parts are these:
ddns-domainname "somedomain.com" ;
ddns-update-style interim ;
ddns-ttl 86400;
key somehost.somedomain.com. {
algorithm HMAC-MD5 ;
secret ##$$##$$##$$ put your public key data here ;
}
zone somedomain.com. {
primary 127.0.0.1 ;
key somehost.somedomain.com. ;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1 ;
key somehost.somedomain.com. ;
}
In the subnet section:
subnet 192.168.1.0 netmask 255.255.255.0
{
...
ignore-client-updates ;
ddns-updates on ;
...
}
Now, the named.conf file:
In each zone that you want to allow updates:
zone "somedomain.com" IN {
...
allow-update {
key somehost.somedomain.com. ;
}
....
};
or, if you prefer more control
zone "somedomain.com" IN {
...
update-policy
{
grant somehost.somedomain.com. subdomain somedomain.com. TXT ;
}
...
};
and do something similar in the reverse lookup zone and
include "/etc/update.key";
That's it.
Config testing can be done with:
named-checkconf service dhcpd configtestWhich will show you if you have any issues with your configs before restarting (they are noisy on error only).
I'm dubious about the results from configtest as you'll see later.
Test With nsupdate
Here's a completely uncommented example. Implies that the configs are fine and you've restarted at least named and checked /var/log/messages for anything additional:
[etc]# nsupdate -k Ksomehost.somedomain.com.+157+08869.private
> server 127.0.0.1
> zone somedomain.com.
> update add newhost.somedomain.com. 86400 IN A 192.168.1.1
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;somedomain.com. IN SOA
;; UPDATE SECTION:
newhost.somedomain.com. 86400 IN A 192.168.1.1
> send
> quit
[etc]# ping newhost
PING newhost.somedomain.com (192.168.1.1) 56(84) bytes of data.
64 bytes from somehost (192.168.1.1): icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from somehost (192.168.1.1): icmp_seq=2 ttl=64 time=0.029 ms
--- newhost.somedomain.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.029/0.041/0.053/0.012 ms
Use update delete newhost.somedomain.com. A to remove the entry.
Key File Strangeness / Incompatibility
Unless I'm mistaken, it seems that named and dhcpd prefer the update.key file to be in slightly different format. named needs quotation marks surrounding the key or else it gives this error:
[etc]# named-checkconf
/etc/update.key:3: missing ';' before '/'
/etc/update.key:3: '}' expected near '/'
However, dhcpd complains about the quotes:
Feb 7 somehost dhcpd: /etc/update.key line 3: invalid base64 character 32.
Feb 7 somehost dhcpd: #011secret "xxyyxxxyxyxyxyxyx /xixixkxxjxjx
Feb 7 somehost dhcpd: ^
Feb 7 somehost dhcpd: /etc/update.key line 4: expecting a parameter or declaration
Feb 7 somehost dhcpd: };
Feb 7 somehost dhcpd: ^
Feb 7 somehost dhcpd: /etc/dhcpd.conf line 24: /etc/update.key: bad parse.
Feb 7 somehost dhcpd: include "/etc/update.key"
Feb 7 somehost dhcpd: ^
Feb 7 somehost dhcpd: Configuration file errors encountered -- exiting
Strangely, this causes dhcpd to fail to start (which can be seen in logs) but it is not reported by config check.
I believe that dhcpd is at fault here - the config file should allow the quotation marks.
Versions
I'm using FC8 with Bind 9.5.0-23 and dhcp 3.0.6-12.
Some References
This article is great - very complete - even though it is now quite old:
my newbie DDNS-HOWTO http://www.lugs.org.sg/pipermail/slugnet/2003-January/002848.html
The following articles are great, but they don't have the dhcp config:
nsupdate: Painless Dynamic DNS http://linux.yyz.us/nsupdate/
Painless DDNS part 2: the server http://linux.yyz.us/dns/ddns-server.html
