Bind Dynamic Update Key Generation

Posted on  by 

  1. Bind Dynamic Update Key Generation 3
  2. Bind Dynamic Update Key Generation 1
  3. Bind Dynamic Update Key Generation 2

Aug 21, 2008  This is all great, however, when you try updating a zone file that Bind thinks is dynamic, then reloading it, bind throws an error # rndc reload example.com rndc: 'reload' failed: dynamic zone This reminds you that it won’t allow you to reload a dynamic zone. So you have to tell bind to temporarily stop allowing dynamic updates.

This document is about setting up a dynamic DNS entry for a system on the internet without a static IP. The process involves two systems:

  • Server: static IP, running BIND (int0x80.com)
  • Home: dynamic IP, running Debian

I created a sub-domain, dyn.int0x80.com, to which hosts can be added.

The document asserts a working BIND setup already in place. Installing and configuring BIND is out of scope here.

Bind Dynamic Update Key Generation 3

Key Generation

First step is to generate a key on the server.

This creates two files, which will be named differently based on individual runs.

Here are the sanitized contents of each file.

Khome.dyn.int0x80.com.+157+62567.key:

Khome.dyn.int0x80.com.+157+62567.private:

Notice that the Key: field in the .private file is simply the concatenated key from the .key file.

Key File

Next I created a key file at /etc/bind/key.home.dyn.int0x80.com.

Then add the following line to /etc/bind/named.conf.local to include the new key.

Dynamic Zone

The key is situated on the server, all that remains is to add a zone for BIND. This is my entry further down in /etc/bind/named.conf.local:

Lastly put the /etc/bind/db.dyn.int0x80 file into place.

Restart BIND with a simple sudo service bind9 restart and it's time for the client side.

First transfer the .key and .private files down to the client system via your transport mechanism of choice. Once situated, chmod each file to 0400.

Update Script

The nsupdate tool in the dnsutils package will perform the update. I wrote a simple wrapper script in bash to run the update for me.

Running the do-nsupdate script manually will show whether everything is working correctly.

Last Steps

After a manual run, a quick test with dig will show if the record updated. Note that 216.54.147.14 is the IP for int0x80.com.

The do-nsupdate script can be scheduled to run automatically on the client with cron. I put mine at every 15 minutes as I had some issues with my ISP flapping on addresses in the past.

  • Sponsor
    1. In your main DNS infrastructure create a delegation: _acme-challenge.<domain>. NS <your-nameserver>.
    2. Create a new zone _acme-challenge.<domain> on <your-nameserver>, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
    3. Create a new TSIG key: dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname>
    4. Enable dynamic updates on the _acme-challenge.<domain> zone with this key

    e.g. for bind9:

    Bind Dynamic Update Key Generation 1

    This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further.

    An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script:

    You then only need to create a single zone acme.mydomain.com which accepts dynamic DNS updates, but you will need to add static CNAMEs for _acme-challenge.<certname> pointing at _acme-challenge.<certname>.acme.mydomain.com for each certificate you want to issue.

    Bind Dynamic Update Key Generation 2

    Clone this wiki locally

Coments are closed