4110
Comment:
|
4110
|
Deletions are marked like this. | Additions are marked like this. |
Line 55: | Line 55: |
algorithm hmac-sha512; | algorithm hmac-sha256; |
DNS Master
Network
We will give the DNS master a static IP-address. Edit /etc/networking/interfaces and make the following changes.
# The primary network interface #allow-hotplug eth0 #iface eth0 inet dhcp auto eth0 iface eth0 inet static address 192.168.1.34 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1
Install BIND
apt-get install bind9
Configure BIND
Stop BIND
service bind9 stop
Make BIND listen
edit /etc/bind/named.conf.options and add
listen-on { any; };
Make a DDNS update key
As of now I cannot get the sha256 keys to work, according to https://kb.isc.org/article/AA-01243/0/DHCP-4.2.8b1-Release-Notes.html it should be implemented in ISC's DHCP server, but it does not seem to work.
We are going to let the DHCP server update BIND. For this we need an update key. Create it with the following command. Remember that entrophy must be available for the key to be generated, you can check available entrophy in /proc/sys/kernel/random/entropy_avail.
dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST ddns-update
This will create two files with filenames equivalent to Kddns-update.+157+18646.private and Kddns-update.+157+18646.key. The latter is your public key, which will be used by the DCHP server to update BIND. Create the file /etc/bind/ddns-update.dnskey and put your key inside it.
key "ddns-update" { algorithm hmac-sha256; secret "yYFzfibvlpS33+vsngV2jF5tGkTiVSjhYoFuV0T7bnCVfFGx3Mu05SW+LakImdofkNM00LxHCLuvD1W1vSWMmA=="; };
Make sure BIND can read /etc/bind/ddns-update.dnskey.
chown root:bind /etc/bind/ddns-update.dnskey
Create a new zone
/etc/bind/named.conf.kallenberg.dk
# Key used by DHCP servers for dynamic DNS updates include "/etc/bind/ddns-update.dnskey"; zone "kallenberg.dk" { type master; file "/var/lib/bind/kallenberg.dk.zone"; allow-transfer { 192.168.1.35; }; allow-update { key "ddns-update"; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/var/lib/bind/1.168.192.zone"; allow-transfer { 192.168.1.35; }; allow-update { key "ddns-update"; }; };
Add the new zone file to /etc/bind/named.conf.local
include "/etc/bind/named.conf.kallenberg.dk";
/var/lib/bind/kallenberg.dk.zone
$ORIGIN . $TTL 86400 ; 1 day kallenberg.dk IN SOA ns01.kallenberg.dk. ns02.kallenberg.dk. ( 20171210 ; serial 7200 ; refresh (2 hours) 300 ; retry (5 minutes) 604800 ; expire (1 week) 60 ; minimum (1 minute) ) IN NS ns01.kallenberg.dk. IN NS ns02.kallenberg.dk. A 2.107.246.10 $ORIGIN kallenberg.dk. $TTL 86400 ; 1 day ns01 IN A 192.168.1.34 ns02 IN A 192.168.1.35
/var/lib/bind/1.168.192.zone
$ORIGIN . $TTL 86400 ; 1 day 1.168.192.in-addr.arpa IN SOA ns01.kallenberg.dk. ns02.kallenberg.dk. ( 20171210 ; serial 7200 ; refresh (2 hours) 300 ; retry (5 minutes) 604800 ; expire (1 week) 60 ; minimum (1 minute) ) IN NS ns01.kallenberg.dk. IN NS ns02.kallenberg.dk. $ORIGIN 1.168.192.in-addr.arpa. 36 IN PTR ns01.kallenberg.dk 37 IN PTR ns02.kallenberg.dk
Start BIND
Finally start the service again
service bind9 start