DDNS+Bind

Tue Mar 9 19:21:47 UTC 2004

Alexander Widera wrote:

>Hi,
>
>DynSite is a tool to update a DNS or to use dynamic DNS services like
>www.dyndns.org.
>You can get it at http://www.noeld.com/dynsite.asp
>I use it at the moment only for testing purposes ... I thought it would work
>with it ... but it always sais: "DNS-Server kann das Format nicht erkennen."
>it means "DNS-Server couldn't understand the format". I don't know what this
>should mean.
>
According to the description of DynSite at 
http://www.dyndns.org/services/dyndns/clients.html, the software is able 
to to update a DNS server using RFC 2136 (Dynamic Update) and RFC 2845 
(TSIG). It says nothing about SIG(0), so I would avoid that. In any 
case, at a bare minimum you'll need to tell the client that you want to 
use *this* form of Dynamic Update -- as opposed to any of the other, 
non-RFC-defined update protocols -- and additionally, tell it to 
TSIG-sign the updates, and make the key data (no such thing as 
public/private with a shared key) available to the client for signing. 
Beyond that, I can't really help you, since I have no direct knowledge 
of the software, and besides that, it's a BIND list, and this is 
non-BIND software you're talking about.

>I'm using the TSIG-key - i think this is easier...
>I created a key with:
>dnssec-keygen -a HMAC-MD5 -b 512 -n HOST mydomain.com
>then i have 2 files:
>Kmydomain.com.+157+45233.key
>Kmydomain.com.+157+45233.private
>
>The keyname is "mydomain.com." (with dot at the end), isnt it?
>The value of the key is in the file .private, isnt it?
>Where should these both files be placed? Or isnt this important?
>
>then i created in the named.conf the following entrys:
>
>key mydomain.com. {
>    algorithm HMAC-MD5;
>    secret "pojasfmaf0awfp==";
>};
>
>(this isnt the correct key ... only for example)
>must there be the dot after "mydomain.com" ?
>
>and i extendet my zone to this:
>
>zone "mydomain.com" in {
>        type master;
>        update-policy {
>            grant * name antibotz.de A TXT;
>        };
>        file "mydomain.com.zone";
>};
>

    I also tried some other update-policys or the old allow-update method.

Well, you haven't associated the key with the zone in any way. Just 
because the key happens to have the same name as the zone doesn't mean 
named understands the association. I'd stick with the old allow-update 
syntax (I've never actually used update-policy), and do something like:

              allow-update { key mydomain.com.; };

in the mydomain.com zone definition.

>The thing is that:
>The client, who shoud update, is the computer with the changing IP that
>shoud be updatet at the DNS.
>I use only DynSite for testing purposes at the moment ... at the end I want
>to use a router. It has has a menu where I can insert a domain and something
>like an unsername or password ... and the router shoud update the DNS.
>
>What make I wrong? What is missing?
>I think somehow has the client to submit the key, or not?
>
>Where can I find some logfiles if there is one?
>
That depends on your nameserver and possibly also your syslog 
configuration. Do you have a "logging" clause?

                                 - Kevin

>
>Alex
>
>
>"Kevin Darcy" <kcd at daimlerchrysler.com> schrieb im Newsbeitrag
>news:c2ituo$1qde$1 at sf1.isc.org...
>  
>
>>Alexander Widera wrote:
>>
>>    
>>
>>>Hiho,
>>>
>>>I have a running nameserver ...
>>>I searched and found for example that:
>>>http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
>>>but i don't get it running...
>>>
>>>      
>>>
>>OK, so how far did you get? Do you get errors? Do you have any log
>>output, debugging output?
>>
>>    
>>
>>>I want to update (for example with dynsite) a domain (entry is on my
>>>nameserver)...
>>>
>>>      
>>>
>>What's "dynsite"? I've never heard of it.
>>
>>    
>>
>>>What have I to do? What's that with the keys? TSIG and SIG(0) ... and
>>>      
>>>
>where
>  
>
>>>shoud I place them?
>>>Has someone a complete example?
>>>
>>>      
>>>
>>As the HOWTO explains, you need to generate the keys, make them
>>available to both the nameserver and the update client, and then you
>>need to use the key to sign each update that you send from the client to
>>the server. Beyond that, the specifics are going to differ depending on
>>whether you choose to use TSIG or SIG(0). I can speak with some
>>experience on TSIG, since we are using TSIG-signed Dynamic Updates in
>>production. For SIG(0), you're on your own...
>>
>>
>>                                                   - Kevin
>>
>>
>>
>>    
>>
>
>
>
>
>
>  
>