Dynamic DNS Zone

To be able to make dynamic changes to the dns it needs to allow updates to a zone. To restrain the access it’s good practice to create a subdomain and restict dynamic updates to this subdomain and some specific types of records only. In addition we would use TSIG keys to narrow down the entities that are allowed to udpate the zone. So create a TSIG key first

key "yoursubdomain.dyn.yourdomain.tld" {
    algorithm hmac-sha512;
    secret "your_secret_goes_here";
};

and then grand this key the rights to update the records in the dynamic zone. The zone definition in named.conf looks more or less like the definition that was created earlier but the line with update-policy enables bind dns server to update this zone dynamically. So a client with a TSIG key that got permission granted to update the zone can do so.

Important

bind dns server is taking control of changes in the zone so all changes made by hand will be removed on the next update!. To do manually change something in the file someone has to freeze the zone and then thaw it to allow updates again.

BUT FREEZE SHOULDN’T BE THE FIRST OPTION, defining a structured update-policy will take care of the zone.

zone "dyn.yourdomain.tld" {
        type master;
        file "/usr/local/etc/namedb/master/dyn.yourdomain.tld/dyn.yourdomain.tld";

        key-directory "/usr/local/etc/namedb/keys/dyn.yourdomain.tld";
        dnssec-policy standard;
        inline-signing yes;

        allow-transfer { localhost; internal_nets; afraid_servers; key "yourdomain.tld"; };
        notify explicit; also-notify { 216.218.130.2; 2001:470:100::2; 69.65.50.223; };
        allow-query { any; };
        update-policy { grant yoursubdomain.dyn.yourdomain.tld self yoursubdomain.dyn.yourdomain.tld A AAAA; };
};

The TSIG key your.dyn.yourdomain.tld is allowed to update an A and AAAA Record with the same name. Any other attempts to update or create a record other then A or AAAA will be refused.

The zone file needs a SOA record again and of course the namesservers that are serving the zone.

$ORIGIN .
$TTL 3600   ; 1 hour
dyn.yourdomain.tld  IN SOA  ns1.he.net. you.yourdomain.tld. (
                10004      ; serial
                14400      ; refresh (4 hours)
                3600       ; retry (1 hour)
                3600000    ; expire (5 weeks 6 days 16 hours)
                3600       ; minimum (1 hour)
                )
            NS      ns1.he.net.
            NS      ns2.he.net.
            NS      ns2.afraid.org.
            NS      ns4.he.net.
            NS      ns5.he.net.
            A       your_server_ip

Since the subdomain for the dynamic updates is hosted on the same server as the parent zone some glue in that parent zone is needed. The glue needed are nameserver, the A record and since DNSSEC is used a DS record to verify the records in the subdomain.

dyn             IN      NS      ns1.he.net.
dyn             IN      NS      ns2.he.net.
dyn             IN      A       your_server_ip
dyn             IN       DS     64819 13 2 8B25139B6FF19BB4A1E23F428AAC7C6449F51190866EC6B0FF270568B6B9463B

To create a DS record the dnssec-dsfromkey tool shiped with bind dns server is used.

dnssec-dsfromkey -2 -A /usr/local/etc/namedb/keys/dyn.yourdomain.tld/Kdyn.yourdomain.tld.+013+64819.key
dyn.yourdomain.tld. IN DS 64819 13 2 8B25139B6FF19BB4A1E23F428AAC7C6449F51190866EC6B0FF270568B6B9463B

With these pieces in place the zone is ready to be served but there is no entry on the Hurrican Electric and afraid.org servers yet. So those slave zone need to be added too. As soon as this is done it might take a while till the propagation is done. Test with a website like zonemaster.net will show success or problems.

_images/dns018.png