[Dnsmasq-discuss] Dynamic DNS

clemens fischer ino-news at spotteswoode.dnsalias.org
Fri Jun 25 22:45:08 BST 2010


/dev/rob0 wrote:

> FWIW, Alberto, Windows clients do speak 2136. I think they do it by 
> default, regardless of the type of nameserver they're contacting.
> 
> A confusing thing about Alberto's description is the apparent idea 
> that dnsmasq does not support dynamic DNS. On the contrary, that's 
> what it does, exceptionally well, by combining the DHCPd with the 
> nameserver. Dynamic DNS for DHCP clients is a strong point for 
> dnsmasq.

This might be a good idea!  Dnsmasq allows to include files and reread
them when they are modified.

Option "addn-hosts" comes to mind: an update script might append/replace
records like "<some-IP> <some-Host>" in a file.

>> What good is such a drastic DNS operation when no authentication is
>> defined?  Other than that the RFC reads like a stripped down version
>> of
> 
> Hmm? You can use dnssec-keygen(8) keys for authentication. I admit,
> I don't know as practical a way to do it in the real world; DynDNS's
> protocol and my HTTP+nsupdate hack are handy for associating one
> user's records with one authentication credential.

DNSSEC is an entirely different beast.  It is to generate key-signing-
and zone-signing keys for verifying DNS responses.

You propably meant ddns-confgen(8), which is used to TSIG authenticate
within a DNS operation.  But the problem is not how to make a secure
key, /dev/random would be enough for that, but how to send it to some
agent.

> That's why I think my HTTP+nsupdate hack was better than DynDNS's 
> protocol. No special client needed, just a web browser (or a 
> scriptable HTTP client like wget(1).)

Right.

I'm using a script whenever I get a new IP (${newip} in the script) from
the provider by DHCP:

  #!/bin/sh
  # bin/dyndns-update.sh
  # _date: 20100222-1628_
  #
  # /l/etc/named.conf
  # /etc/dhcpcd.exit-hook
  # <url:man:1 nsupdate>
  
  iam="${0##*/}"
  ex=0
  usage="${iam}: use ${iam} <zone> <ip>"
  nsupdate="/usr/local/bin/nsupdate"
  nsupdate_opts=""
  nsupdate_opts="${nsupdate_opts} -l"
  nsupdate_opts="${nsupdate_opts} -k /usr/local/etc/bind9/tsig-update.key"
  zone="${1:?${usage}}"
  newip="${2:?${usage}}"
  spf1="v=spf1 ip4:${newip} a XXX XXX ~all"
  
  update_rr="
  zone ${zone}
  prereq yxdomain ${zone}
  update delete ${zone} 300 IN A
  update add ${zone} 300 IN A ${newip}
  update delete ${zone} 3600 IN TXT
  update add ${zone} 3600 IN TXT \"${spf1}\"
  send
  answer
  "
  
  echo "${update_rr}" | ${nsupdate} ${nsupdate_opts}
  ex=$?
  exit ${ex}

and the key is made like this:

  # ddns-confgen -k /l/etc/bind9/tsig-update.key -s XXX.eu.org


clemens




More information about the Dnsmasq-discuss mailing list