DNS Dynamic Update

DNS Dynamic Update

Install

    Centos:
    
    

# 建立 TSIG keys

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.com.
OR
dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate

    !! 最尾的一點是必須的

    ???.key
    ???.private
    
    !! chmod 400 ???*
    
# 什麼是 TSIG keys

Transaction SIGnature(RFC 2845)

A timestamp is included in the TSIG protocol to prevent recorded responses from being reused, which would allow an attacker to breach the security of TSIG.

* DNS servers and TSIG clients to contain an accurate clock

設定

options {
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
}

'key' section
 
key "mydomain.com." {
 algorithm hmac-md5;
 secret "???????????";
};

zone "mydomain.com" {
       type master;
       file "/var/lib/bind/mydomain.com.db";
       allow-update { key "mydomain.com."; };
};

# Update

nsupdate prompt:

    nsupdate -k Kmyzone.com.+157+02058.private

    update add test1.mydomain.com. 600 A 127.0.0.1

Script:

nsupdate -k Kmyzone.com.+157+02058.private -v nsupdate.txt

nsupdate.txt

server master.dns.server
debug yes
zone myzone.com.
update add test2.mydomain.com. 600 CNAME ns1
show
send

Remark

nsupdate take effect immediately on the DNS master server (and they also get pushed from there to slave servers), but they are not written immediately to the actual DNS zone file on disk on the master server. Instead, a journal file is used, in the same directory as the zone file. The journal entries get applied periodically to the main zone file.

DOC:

http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm