Bind DDNS updates


A little while ago I started working on some DDNS on a RHEL6 box where a client would be able to update it’s own IP address after a reboot to remove the need for us to do it our selves. I was pretty sure this would be a walk in the park, but I hit one very odd issue with nsupdate which looks to be caused by a change recently in the way the keys are generated but this is getting ahead.

DDNs is actually really easy to set, and there’s a few sites out there that will tell you how easy it is, in fact a majority of them do this. However most of them have a section that will mention ddns-keygen, they all go through and tell you to do the same thing.

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST

After you have generated the two files (.key and .private) Most are un clear as to what to do next, the answer is you use the .key file for everything and you might as well forget the .private file was created.

You have to take the secret from the key file and place it in your named.conf, either as an include or directly but the code you want is as follows:

key {
algorithm HMAC-MD5;
secret "SAdhkjhkjashdkjhasdkjbasdkbk8768/+sadfnasd asdkjahsdasdhkjhasdasd";

Worth noting I keyboard mashed the key…. but from the .key file you want to copy the whole key (spaces and all), the key above is in fact on one line with a space, so it may have line wrapped.

Once you have this in your named.conf you can start securing your zones with the allow-update command

zone "" {
type master;
allow-update { key; };

Now, I got to this stage with about 20 different websites and all was fine. The issues followed on trying to get nsupdate to work with the key. A lot, if not all, tell you to take the private key and pass that into nsupdate with the -k option.

Well this failed for me.

[root at host etc]# nsupdate -d -k ./
Creating key...
16-Jul-2012 18:17:45.111 ./ unknown option 'Private-key-format:'
16-Jul-2012 18:17:45.111 ./ unexpected token near end of file
could not read key from ./{private,key}: unexpected token

It took me a while to figure out that it was in fact the key file that was causing the problem, one way i helped work it out is with the -y option

nsupdate -y domain.key:SAdhkjhkjashdkjhasdkjbasdkbk8768/+sadfnasdasdkjahsdasdhkjhasdasd

This helped prove that there was an issue with the key format, not there was no space above but the key does normally have one. now, a quite important thing here is that everyone thats ays to use the private key also has a key with this line in it: Private-key-format: v1.2, well mine said Private-key-format: v1.3 and failed. I’m not even sure if that’s relavent.

The fix for this issue was in fact really simple, if you read through the nsupdate man page sufficiently you’ll find that it will take the key in the bind format so create a file containing the say info as…

key {
algorithm HMAC-MD5;
secret "SAdhkjhkjashdkjhasdkjbasdkbk8768/+sadfnasd asdkjahsdasdhkjhasdasd";

Try again and watch it work.