Bind
Resources
Delegation
In this example we would like to delagate dokuwiki.society-lbl.com
First add glue record in domain main file configuration.
/etc/bind/society-lbl.com
; GLUE RECORD SUBDOMAIN
dokuwiki.society-lbl.com. IN NS ns2.dokuwiki.society-lbl.com.
NS ns.dokuwiki.society-lbl.com.
ns.dokuwiki.society-lbl.com. IN A 91.121.62.12
ns2.dokuwiki.society-lbl.com. IN A 91.121.12.116
After you could add a separate file about delegate subdomain.
/etc/bind/dokuwiki.society-lbl.com
$TTL 3h
@ IN SOA ns2.dokuwiki.society-lbl.com. hostmaster.society-lbl.com. (
2013073101
8H
2H
1W
1D )
; NS for dokuwiki :
@ IN NS ns2.dokuwiki.society-lbl.com.
@ IN NS ns.dokuwiki.society-lbl.com.
ns IN A 91.121.62.12
ns2 IN A 91.121.12.116
dokuwiki.society-lbl.com. IN A 91.121.12.116
memorandum IN CNAME dokuwiki.society-lbl.com.
cultivation IN CNAME dokuwiki.society-lbl.com.
network IN CNAME dokuwiki.society-lbl.com.
/etc/bind/named.conf.local
zone "dokuwiki.society-lbl.com" {
type master;
file "/etc/bind/dokuwiki.society-lbl.com";
};
Setup DDNS
Example to update ipv4 and ipv6 of a subdomain.
Server-side
require: bind9utils
package
Dynamic DNS, first create a key.
dnssec-keygen -a HMAC-SHA512 -b 512 -r /dev/urandom -n HOST home.society-lbl.com
notes:
society-lbl.com
will be part of the filenames (.private
and.key
)- I tried to use more complex algorithms (based on private/public key), but it's overkill time/security just to update an ip on a subdomain.
/etc/bind/keys.conf
key home.society-lbl.com {
algorithm HMAC-SHA512;
secret "KEY_VALUE";
};
notes:
- replace
KEY_VALUE
by the everything afterKey:
in the generated prefixed by.private
- keep the
.private
file, it will be used by the client as well as the.key
home.society-lbl.com
will the name of the key identified by bind
/etc/bind/named.conf:
include "/etc/bind/keys.conf";
Then you have two choice, warning it can't be both.
allow-update
the key can update anything on the zone /etc/bind/named.conf.local:
zone "society-lbl.com" {
type master;
file "/etc/bind/domains/society-lbl.com";
allow-update {
key home.society-lbl.com;
};
};
- (preferred)
update-policy
the key can update only specific part of the zone /etc/bind/named.conf.local:
zone "society-lbl.com" {
type master;
file "/etc/bind/domains/society-lbl.com";
update-policy {
grant home.society-lbl.com name home.society-lbl.com. A AAAA;
};
};
notes:
- update policy is in the form
<permission> <identity> <matchtype> [tname] [rr]
, see details - in this case, identity is the name of the key
home.society-lbl.com
Check the configuration
named-checkconf && restart bind9
In case of a manual update
If you update society-lbl.com
zone configuration, you will need to:
rndc freeze society-lbl.com
# edit your zone conf file (/etc/bind/domains/society-lbl.com)
rndc thaw society-lbl.com # when finished
Security-part
Ensure bind can read/write the file containing the zone (.e.g, /etc/bind/domains/society-lbl.com
) with chown
and chmod
for the group bind
.
In case you have Apparmor, do the following changes, if required: /etc/apparmor.d/usr.sbin.named:
/usr/sbin/named {
...
/etc/bind/** r,
/etc/bind/domains/** rw,
...
}
systemctl restart apparmor
Client side
Check it works
Try to retrieve the TSIG part:
dig -y hmac-sha512:home.society-lbl.com:KEY_VALUE @ns1.society-lbl.com TSIG society-lbl.com
If you have an error, check /var/log/syslog
on the server.
Update the zone
require: dnsutils
package
Example to add/edit ip address for the subdomain home.society-lbl.com
update.txt
server ns1.society-lbl.com
zone society-lbl.com
update delete home.society-lbl.com. A
update delete home.society-lbl.com. AAAA
update add home.society-lbl.com. 600 AAAA xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
update add home.society-lbl.com. 600 A xxx.xxx.xxx.xxx
show
send
important: ensure 2 files for identification are present: .private
and .key
file (else you risk to have a response update failed: REFUSED
with no details)
nsupdate -k Kkeyname.+165+0316.private -v update.txt
notes:
- specified a file is not necessarily if you prefer to type the command interactively
-v
force TCP instead of UDP, preferred for batch requestsupdate delete
without this command, if the ip change, the older ones remain present (cause long resolution)
Ensure the update has been done with:
dig ANY home.society-lbl.com
Sources:
- Painless DDNS
- Painless DDNS: part 2
- official documentation - DDNS
- http://archivebox.parmentier.io/archive/www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
- https://www.afnic.fr/medias/documents/DNSSEC/afnic-dnssec-howto-fr-v2.pdf
- https://www.bortzmeyer.org/5155.html
- https://www.zytrax.com/books/dns/ch2/#dyn-update
- https://www.bortzmeyer.org/2845.html
- Creating a very specific TXT only nsupdate connection for Let’s Encrypt
See also ddns-confgen
Check configuration
named-checkconf
named-checkconf -z
Note: for more detail on a zone, you can type: named-checkzone domain.tld /etc/bind/domains/domain.tld
Check propagation
nslookup DOMAIN.TLD NS_SERVER.TLD
Example
/etc/bind/society-lbl.com
$TTL 3h
@ IN SOA ns2.society-lbl.com. hostmaster.society-lbl.com. (
2013080101 ; serial number (YYYYMMDDxx)
1D ; refresh = 1 day
15M ; update retry = 15 minutes
3W ; expiry = 3 weeks
2H ; minimum = 2 hours
)
; NS :
ns1 IN A 91.121.62.12 ; glue record
ns2 IN A 91.121.12.116 ; glue record
@ IN NS ns2.society-lbl.com.
@ IN NS ns1.society-lbl.com.
@ IN NS ns.kimsufi.com.
@ IN A 91.121.62.12
@ IN A 91.121.12.116
; it is equivalent to
; society-lbl.com. IN A 91.121.62.12
; society-lbl.com. IN A 91.121.12.116
ftp IN CNAME society-lbl.com.
Notice :
- @ is replace by the filename (society-lbl.com) - You could also specify $ORIGIN society-lbl.com (begin of file)
- To know more about glue record ([see](softwares/server/dns/start#glue_record))
- **Refresh Time** - The time, in seconds, a secondary DNS server waits before querying the primary DNS server's SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server's current SOA record and the serial number in it's own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.
- **Retry time** - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600.
- **Expire time** - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
- **Minimum TTL** - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.
Tips
List subdomains locally
cat parmentier.io | grep -v -E "^[\\$|*]" | grep -v -E "NS|SOA" | grep -E "^\w"