[Dnsmasq-discuss] Dynamic DNS

clemens fischer ino-news at spotteswoode.dnsalias.org
Thu Jun 24 20:32:01 BST 2010


/dev/rob0 wrote:

> On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote:
>
>> are there any plans of implementing Dynamic DNS for dnsmasq? 
>>  
>> There is a perl script that adds that functionality here:
>> http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl
> 
> I don't understand all the desire to invent new protocols for dynamic 
> DNS. RFC 2136 handles it quite well. If dnsmasq were to add another
> protocol, it should be RFC 2136. Dyndns.org's protocol is not a 
> standard.
> 
> Some years back, before I really understood 2136, I wrote a perl/CGI 
> frontend for nsupdate(8) which does something similar without 
> exposing another root-owned TCP socket to the world. By means of 
> permissions on a copy of the key, I was able to allow the httpd(8) 
> user to run nsupdate after authenticating the user.

I just skimmed through RFC 2136.  From a practical standpoint, it has
a serious flaw in sections 3.3.1 and 3.3.2:

  3.3.1. Next, the requestor's permission to update the RRs named in
  the Update Section may be tested in an implementation dependent
  fashion or using mechanisms specified in a subsequent Secure DNS
  Update protocol.

What good is such a drastic DNS operation when no authentication is
defined?  Other than that the RFC reads like a stripped down version of
nsupdate's technical manual (if such a thing exists).  The benefit to
not defining it there is that any mechanisms can be used.  Arriving at
this conclusion leaves us looking at eg. dyndns's protocol.  I think
it's one of the worst alternatives in this context:  dnsmasq often runs
in local link areas, where people can easily snoop the credentials, and
it mocks up an HTTP server, which is quite complicated for this task.

A much simpler approach would be for the client to send the
base64(sha1("user:password:hostname")) (a hash of user, password and
desired, preregistered hostname) to some special host and maybe wait for
the ACK.  That could be decoupled from dnsmasq, which is propably not
the right place to implement it.

Why not look at the existing dnsmasq option "dhcp-script"?  I never used
it, but it seems to provide what's needed provided all the dhcp clients
are automatically authorized to enter a name into the DNS.

> Another thing I'm not understanding is why is this needed? Are you 
> running dnsmasq as authoritative nameserver for the world? I hope 
> Simon will correct me if I'm wrong, but I don't see that as a 
> typical role for dnsmasq.

+1

I'm aware of DHCP options that let a client request a dynamic DNS
update, though.  The manual doesn't mention them, though.


clemens




More information about the Dnsmasq-discuss mailing list