Nsupdate for DDNS update record

DDNS update with Nsupdate utility

Adding records

> update add www1.example.com 86400 a 172.16.1.1
> update add http://www.example.com 600 cname www1.example.com.
> send

> update add 1.1.16.172.in-addr.arpa 86400 ptr www1.example.com.
> send

Multiple updates

> update delete http://www.example.com cname
> update delete www1.example.com a
> update delete www2.example.com a
> update delete www3.example.com a
> send

Deleting a record

> update delete http://www.example.com cname
> send

With TSIG key

nsupdate -v -k /etc/bind/admin-updater.key

The first option “-v” is to specify that communication with the DNS is to be done with TCP, not UDP.

The second option “-k” is to specify where the encryption key files are to be found.

Example

# nsupdate
> server ns.mydns.com
> update delete oldhost.example.com. A
> update add newhost.example.com. 86400 A 192.168.254.117
> send
> quit

Example 2

# nsupdate -k /path/to/file-is-rndc.key
> server server1.example.com
> zone my.example.com
> update add host1.my.example.com. 3600 A 10.20.30.40
> zone 30.20.10.in-addr.arpa.
> update add 40.30.20.10.in-addr.arpa. 7200 PTR host1.my.example.com.
> send
> quit

http://dag.wieers.com/howto/bits/bind-ddns.php

http://grayingmatter.consorti.com/2009/03/nsupdate-by-key-from-rhel.html

http://honglus.blogspot.in/2012/02/nsupdatethe-command-line-tool-to-manage.html

nsupdate,the command line tool to manage BIND DNS records
nsupdate can submit Dynamic DNS Update requests as defined in RFC2136 to a name server, it is provided by “bind-utils” package.
Authentication for DNS updates
Transaction signatures (TSIG) can be used to authenticate the Dynamic DNS updates, The only supported encryption algorithm for TSIG is HMAC-MD5.
The TSIG public key is stored in a KEY record in a zone served by the name server, the TSIG private key is used by nsupdate to get authenticated.

$mkdir  /var/named/keys; cd /var/named/keys

$dnssec-keygen -a HMAC-MD5 -b 256 -n USER  server1-ddns-key

Kserver1-ddns-key.+157+00575.key

Kserver1-ddns-key.+157+00575.private

#Since HMAC-MD5 is symmetric encryption algorithm, the “key string” in private key and public key are equivalent, the public key can be deleted.

$ rm Kserver1-ddns-key.+157+00575.key

$ cat Kserver1-ddns-key.+157+00575.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=

#Create a BIND configuration file to be included in /etc/named.conf (it is optional, the statements can be specified in /etc/named.conf directly)

$cat keys.conf

#the key name is arbitrary , but  must be the same name  specified in dnssec-keygen command line

key server1-ddns-key {

algorithm HMAC-MD5;

secret “x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=”;

};

$cat /etc/named.conf

include “/var/named/keys/keys.conf”;

#zone example.com allow the key to do update

zone “example.com” IN {

type master;

file “example.zone”;

allow-update { key server1-ddns-key ; };

};

The journal file for dynamic Update
All changes made to a zone using dynamic update are stored in the zone’s journal file.
The name of the journal file is formed by appending the extension .jnl to the name of the corresponding zone file.
The updated entries are saved in .jnl file, the entries are merged to the zone file on the following conditions
1.Every 15 minutes
2.”rndc freeze zone” command is issued
3.Service restart
However, the updated record in memory become effective immediately without waiting to be merged to the zone file.
In order for named process to write the journal file, the zone directory /var/named/ must be writable by named user or group
$chown root:named /var/named; chmod g+rw /var/named
nsupdate sample commands

$nsupdate -k Kserver1-ddns-key.+157+00575.private

> server localhost

> zone example.com

> update add www1.example.com 86400 A 172.16.1.11

> send

Suspend dynamic DNS update

#sometimes it is necessary to update the zone file manually, follow this order to edit zone file manually

$rndc freeze example.com

$vi example.com.zone

$rndc thaw example.com

#if your zone exists in multiple views, you may get this error.

$rndc freeze example.com

rndc: ‘freeze’ failed: not found

#You have to specify class name (IN) and the view name in full.

$rndc freeze example.com  IN myview-name

nsupdate By Key From RHEL
We have a DNS zone here at DJ that’s used for allowing nsupdates, typically in the case of applications with an HA capability between VLANS out on the WAN (when migrating the production IP is not an option).

While we have used ACLs for the allow-update stanza in bind’s named.conf, I wanted to make the push towards key based authentication. The following how to is what I did to make that work.

First, generate the key. This will create two files, containing the same key, due to backwards compatibility issues with the library used to create the key. The options to pass to the “dnssec-keygen” tool (part of the bind RPM) are simple. The “-r /dev/urandom” bit below uses the psuedo-random driver to generate the key; something perfectly sufficient for this case IMHO. The name you use for the key is not important. Though it looks like an FQDN, it can be “fuzzydice” if you want it to be. The convention in all things BIND seems to be “something.yourdomain.com”.

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST -r /dev/urandom some.meaningful.name.com
Ksome.meaningful.name.com.+157+01885
# ls *meaningful*
Ksome.meaningful.name.com.+157+01885.key Ksome.meaningful.name.com.+157+01885.private
#

I prefer to copy the key string from the “.private” key file as it doesn’t have any spaces in the key string. Its contents would look like this.

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==

The next step is to allow this key’s use by named. You will need to edit “named.conf” in at least one place, possibly two.

First, update your “allow-update” line in the zone entry. For example see below.

zone “ha.yourdomain.com” in {
type master;
file “db.ha.yourdomain.com”;
forwarders {};
allow-update { key some.meaningful.name.com; };
};

You can mix ACLs, hosts, and keys on the same “allow-update”.

allow-update { key some.meaningful.name.com; 192.168.1.1; my_trusted_acl; };

Secondly, you need to include the key for named to pick up. This is typically done in one of two ways: directly in the “named.conf” file or in an included file. RHEL’s named.conf, out of the box, should have the following line.

include “/etc/key.conf”;

Ideally, this is where you put the key to avoid a messy “named.conf” but you could put the key directly in. Either way, your entry should look something like this.

key some.meaningful.name.com. {
algorithm hmac-md5;
secret “sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==”;
};

Don’t forget to reload named.

# rndc reload

Now that was the hard part. The easy part is to actually use the key. The “nsupdate” tool is well documented in RHEL’s man page, so I’ll just show an example case. What isn’t so well documented is that you need BOTH “.key” and “.private” files even though you only refer to one on the command line. Keep both of those files in the same directory.

# nsupdate -k Ksome.meaningful.name.com.+157+01885.private
> server 192.168.254.2
> update delete virtualhost.ha.yourdomain.com. CNAME
> update add virtualhost.ha.yourdomain.com. 300 CNAME virtualhost.otherdc.yourdomain.com.
> send
> quit
#

You can script this action by putting the nsupdate commands in a “conf” file that is passed to “nsupdate” as an option.
Posted by Jason Consorti at 7:10 AM
Labels: linux, nsupdate, technology

Advertisements

About bpn4it

Feel Free in Linux. Bipin Patel bpn4it@gmail.com Ahmadabad, Gujarat, India
This entry was posted in Bipin hands-on. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s