>>>>> "hz" == Hans Zaunere <lists@xxx> writes: hz> -- internal authoritative DNS server to provide internal hz> server naming for development servers, etc; company internet hz> facing authoritative DNS is handled elsewhere I've been using dhcpd's TSIG dynamic update feature, and it seems to work pretty well. /etc/dhcpd.conf -----8<----- include "/usr/export/named/etc/dhcpd.key"; zone gypsy.th3h.inner.chaos. { primary 10.100.100.10; key dhcpd-key; } zone 100.100.10.in-addr.arpa. { primary 10.100.100.10; key dhcpd-key; } ddns-update-style interim; ignore client-updates; option domain-name "th3h.inner.chaos"; [...] -----8<----- /etc/rc.conf -----8<----- named=YES named_chrootdir="/usr/export/named" dhcpd=YES dhcpd_flags="-q tlp2 tlp3 tlp4" -----8<----- (generate this file with dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/urandom dhcpd-key then take the key out of Kdhcpd-key.+157+_____.private and put into this format after 'secret') /usr/export/named/etc/dhcpd.key -----8<----- key dhcpd-key { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret ABCdefg1234==; }; -----8<----- make sure the 'dyn' directory is writeable by the named user. /usr/export/named/etc/named.conf -----8<----- acl localhost6 { ::1/128; }; acl fw { 192.168.0.0/16; 69.31.131.32/27; 2001:4830:2150::/48; localhost; localhost6; }; acl chaosvpn { 10.0.0.0/8; }; include "/etc/dhcpd.key"; zone "100.100.10.in-addr.arpa." in { type master; file "dyn/10.100.100.inaddr"; allow-query { fw; chaosvpn; }; allow-update { key dhcpd-key; }; }; zone "gypsy.th3h.inner.chaos." in { type master; file "dyn/gypsy.th3h.inner.chaos.master"; allow-query { fw; chaosvpn; }; allow-update { key dhcpd-key; }; }; -----8<-----
Attachment:
pgpXOxIsqKgVR.pgp
Description: PGP signature