We have 3 letter location codes that we use to identify remote sites and
some of those sites are on a dynamic IP connection. As a result, we
need a way to keep the DNS records for all locations up to date.
Yes, many DNS providers offer a free dynamic DNS service and most higher
end xDSL & cable routers have a dynamic DNS client built. And they may
even do a pretty good job once you invest a couple of minutes into
getting it all setup, but where’s the fun in that.
Lets start by generating a TSIG (Transaction SIGnature) key pair,
which we will use to authenticate our update to the nameserver.
dnssec-keygen is part of the bind package on FreeBSD. Note that we’re
using example.net. domain here, you must change it to the domain you
want to update. For explanation of the other options refer to
dnssec-keygen(8) manual.
12
% dnssec-keygen -a HMAC-MD5 -b 512 -n HOST example.net.
Kexample.net.+157+32671
Now we setup this key on our bind server to which we’ll be sending the
zone update to. Create /var/named/etc/namedb/example.net.key with the
following contents; the secret is the same as key in the files
generated with dnssec-keygen previously:
You’ll notice that by default nsupdate doesn’t give any output,
uneless there was an error. Instead, you can issue a answer command
to nsupdate after send, to see the server response:
12345678910111213
# nsupdate -k Kexample.net.+157+32671.private> update delete lhr.example.net A
> update add lhr.example.net 86400 A 10.1.1.10
> send
> answer
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32101
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.net. IN SOA
;; TSIG PSEUDOSECTION:
example.net. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 140820332330016 BoDENzUS1d+yT0Fyd6fq6A==32101 NOERROR 0
Ok, so thats all working as expected. The last step is to script
something that would update DNS automatically whenever the external IP
changes. Here’s a basic shell script, notice it doesn’t do any error handling
:)