Using nsupdate remotely
Evan Hunt
each at isc.org
Tue Jul 12 20:28:44 UTC 2022
On Mon, Jul 11, 2022 at 11:48:45PM -0600, Philip Prindeville wrote:
> On the DNS side, I'll need to include from /etc/bind/named.conf a file
> with a "key { }" section and a "controls { }" section... with the same
> symmetric key/algorithm, of course... the "controls { }" section will
> need an "inet" address to listen on, the IP address of the DHCP server
> that will be sending us updates, and the matching name from the
> "key { }" section above.
>
> Am I forgetting anything? Or is that about it?
You don't need the "controls" section for nsupdate; that's only for
rndc. For nsupdate, you need to put an "update-policy" into the "zone"
statement, something like this:
key update-key {
algorithm hmac-sha256;
secret "<secret>";
};
zone example.com {
type primary;
file "example.db";
update-policy {
grant update-key zonesub ANY;
};
};
(Incidentally, the "ddns-confgen" command is a version of tsig-keygen
that, in addition to generating a new key, also prints a configuration
example - similar to what rndc-confgen does for rndc.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list