This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
soft:bind [2019/07/14 21:57] phil |
soft:bind [2019/07/14 23:11] phil |
||
---|---|---|---|
Line 2: | Line 2: | ||
* http:// | * http:// | ||
+ | |||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | |||
+ | < | ||
+ | options { | ||
+ | auth-nxdomain no; | ||
+ | recursion no; | ||
+ | listen-on-v6 port 53 { any; }; | ||
+ | listen-on port 53 { any; }; | ||
+ | notify explicit; | ||
+ | rate-limit { | ||
+ | responses-per-second 10; | ||
+ | }; | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | ===== Zone configuration ===== | ||
+ | |||
+ | |||
+ | |||
+ | < | ||
+ | key schwarz.in.philpep.org. { | ||
+ | algorithm hmac-sha512; | ||
+ | secret "XXX XXX=="; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-transfer { | ||
+ | key schwarz.in.philpep.org.; | ||
+ | }; | ||
+ | also-notify { | ||
+ | 192.168.96.5 key schwarz.in.philpep.org.; | ||
+ | }; | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | This configure zone " | ||
+ | Primary and secondary master use a symetric hmac-sha512 keys. Theses keys can be generated with '' | ||
+ | |||
+ | DNS zone transfer occur in two times: | ||
+ | |||
+ | - Master notifies all secondary servers about the new zone serial | ||
+ | - Secondary issue a AXFR (full) or IXFR (incremental) zone transfer | ||
+ | |||
+ | |||
+ | Bind can be used for secondary servers as well, but you might consider using [[soft: | ||
+ | |||
+ | ===== Dynamic DNS update ===== | ||
+ | |||
+ | You can dynamically modify a zone using [[https:// | ||
+ | |||
+ | ==== DNS update script ==== | ||
+ | |||
+ | I use this script running in crontab every minutes on a router behind a dynamic ip address. | ||
+ | |||
+ | <file dyndns.sh> | ||
+ | #!/bin/sh | ||
+ | |||
+ | set -e | ||
+ | |||
+ | PATH=/ | ||
+ | export PATH | ||
+ | |||
+ | IFACE=" | ||
+ | DNS_SERVER=" | ||
+ | DNS_NAME=" | ||
+ | DNS_TTL=" | ||
+ | DNS_KEY="/ | ||
+ | |||
+ | LOGGER=" | ||
+ | |||
+ | # address on $IFACE | ||
+ | # addr=$(ip a show $PPP_IFACE | awk '$1 = " | ||
+ | # use an external service | ||
+ | # addr=$(wget -O - https:// | ||
+ | old_addr=$(dig @$DNS_SERVER +short +time=1 +tries=3 $DNS_NAME) # WAIT max 3 seconds | ||
+ | |||
+ | if [ " | ||
+ | $LOGGER " | ||
+ | cat << EOF | nsupdate -t 5 -k $DNS_KEY | ||
+ | server $DNS_SERVER | ||
+ | update delete $DNS_NAME A | ||
+ | update add $DNS_NAME $DNS_TTL A $addr | ||
+ | send | ||
+ | EOF | ||
+ | $LOGGER " | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | On server side, only allow the key to update A entry for " | ||
+ | |||
+ | < | ||
+ | key foo.philpep.org. { | ||
+ | algorithm hmac-sha512; | ||
+ | secret "XXX XXX=="; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | # [...] | ||
+ | update-policy { | ||
+ | grant foo.philpep.org. name foo.philpep.org. a; | ||
+ | }; | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | ==== letsencrypt acme dns challenge ==== | ||
+ | |||
+ | This is useful to issue letsencrypt certificates for internal domain names (belong a public domain), or for wildcard certificates. | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | On client side, install and configure certbot-dns-rfc2136: | ||
+ | |||
+ | < | ||
+ | apt-get install certbot python3-certbot-dns-rfc2136 | ||
+ | </ | ||
+ | |||
+ | <file conf / | ||
+ | dns_rfc2136_server = 192.168.62.2 | ||
+ | dns_rfc2136_port = 53 | ||
+ | dns_rfc2136_name = foo.in.philpep.org. | ||
+ | dns_rfc2136_secret = XXX XXX== | ||
+ | dns_rfc2136_algorithm = HMAC-SHA512 | ||
+ | </ | ||
+ | |||
+ | Ensure to '' | ||
+ | |||
+ | On server side, configure the secret key and add a grant policy: | ||
+ | |||
+ | < | ||
+ | key foo.in.philpep.org. { | ||
+ | algorithm hmac-sha512; | ||
+ | secret "XXX XXX=="; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | # [...] | ||
+ | update-policy { | ||
+ | # allow foo.in.philpep.org and/or *.foo.in.philpep.org | ||
+ | grant foo.philpep.org. name _acme-challenge.foo.in.philpep.org. txt; | ||
+ | # allow all subdomain of in.philpep.org | ||
+ | # grant foo.in.philpep.org. zonesub txt; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then back on client, issue the certificate with: | ||
+ | |||
+ | < | ||
+ | certbot certonly --dns-rfc2136 --dns-rfc2136-credentials / | ||
+ | </ |