>>>>> "hz" == Hans Zaunere <lists@xxx> writes:
hz> -- internal authoritative DNS server to provide internal
hz> server naming for development servers, etc; company internet
hz> facing authoritative DNS is handled elsewhere
I've been using dhcpd's TSIG dynamic update feature, and it seems to
work pretty well.
/etc/dhcpd.conf
-----8<-----
include "/usr/export/named/etc/dhcpd.key";
zone gypsy.th3h.inner.chaos. {
primary 10.100.100.10;
key dhcpd-key;
}
zone 100.100.10.in-addr.arpa. {
primary 10.100.100.10;
key dhcpd-key;
}
ddns-update-style interim;
ignore client-updates;
option domain-name "th3h.inner.chaos";
[...]
-----8<-----
/etc/rc.conf
-----8<-----
named=YES named_chrootdir="/usr/export/named"
dhcpd=YES dhcpd_flags="-q tlp2 tlp3 tlp4"
-----8<-----
(generate this file with
dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/urandom dhcpd-key
then take the key out of Kdhcpd-key.+157+_____.private and put into
this format after 'secret')
/usr/export/named/etc/dhcpd.key
-----8<-----
key dhcpd-key {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret ABCdefg1234==;
};
-----8<-----
make sure the 'dyn' directory is writeable by the named user.
/usr/export/named/etc/named.conf
-----8<-----
acl localhost6 { ::1/128; };
acl fw { 192.168.0.0/16; 69.31.131.32/27; 2001:4830:2150::/48; localhost; localhost6; };
acl chaosvpn { 10.0.0.0/8; };
include "/etc/dhcpd.key";
zone "100.100.10.in-addr.arpa." in {
type master;
file "dyn/10.100.100.inaddr";
allow-query { fw; chaosvpn; };
allow-update { key dhcpd-key; };
};
zone "gypsy.th3h.inner.chaos." in {
type master;
file "dyn/gypsy.th3h.inner.chaos.master";
allow-query { fw; chaosvpn; };
allow-update { key dhcpd-key; };
};
-----8<-----
Attachment:
pgpXOxIsqKgVR.pgp
Description: PGP signature