pcfe's blog

DynDNS Updates With TSIG and NetworkManager Dispatcher

for paid accounts (DynDNS Pro and Dyn Standard DNS), one can do the updates with TSIG.

This allows us to not use ddclient, thus not having our DynDNS.com password in a config file on disk. Obviously, if the key is leaked, an attacker can still wreak havoc with your DynDNS zone configurations, but at least they will not be able to log onto the web interface of DynDNS under your name.

Create /etc/NetworkManager/dispatcher.d/20-nsupdate-tsig with this content

(20-nsupdate-tsig) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/bash
#
# NetworkManager dispatcher script to update dyndns via TSIG using nsupdate
#
# adaptation of http://messinet.com/trac/browser/networkmanager-nsupdate-gss-tsig/20-nsupdate-gss-tsig
# IPv6 and reverse support has been ripped out as I do not need them for DynDNS
# read https://www.dyndns.com/support/kb/ddns_updates_and_tsig.html
# pcfe, 2011-09-13
#

#
# Function definitions
#

# Invoke nsupdate
# (vars defined below)
updateRRs() {
  (echo "server update.dyndns.com"
   echo "zone ${ZONE}"
   echo "key ${KEY_NAME} ${KEY_HMAC}"
   echo "update add ${HOST}.${ZONE} ${TTL} A ${ADDR}"
   echo "send"
  ) | nsupdate -t 60 || exit 1
}

#
# Start working...
#

# Set the host name and ttl
# output format of ifconfig has changed
#ADDR=`/sbin/ifconfig $1 | grep "inet addr:" | awk '{print $2}' | awk -F ":" '{print $2}'`
ADDR=`/sbin/ifconfig $1 | grep "inet " | awk '{print $2}'`
# while it's elegant to have the TTL based on lease time, we want short TTL
# so that one can hop between e.g. LAN and WLAN and have a caching DNS
# get the new entry quickly
#TTL=${DHCP4_DHCP_LEASE_TIME:-86400}
TTL=60
# the DynDNS hostname and zone you want to update, e.g. myserver.mydomain.net
HOST="myserver"
ZONE="mydomain.net"
# get the next two values from https://www.dyndns.com/account/settings/tsig.html
KEY_NAME="MyKeyName"
KEY_HMAC="MyKeyHMAC"

# Proceed based on NetworkManager STATUS, passed as "$2"
[[ "$2" =~ ^(up|dhcp[46]-change)$ ]] && {
  # Wait a short while for IPv6 autoconfiguration to complete
  #sleep 10
  updateRRs
}
exit 0

nail down the file permissions:

1
2
3
4
cd /etc/NetworkManager/dispatcher.d/
chmod 700 20-nsupdate-tsig
chown root.root 20-nsupdate-tsig
restorecon -v /etc/NetworkManager/dispatcher.d/20-nsupdate-tsig

I’ve only used this on Fedora 15, but you should get this working on all distributions which use NetworkManager.

If the above makes no sense to you, then you probably want to continue updating your DynDNS entries with ddclient.

nsupdate can be found in the bind-utils RPM. yum install bind-utils

When having trouble with bind, I find that the book DNS and BIND (5th Edition), ISBN 9780596100575, published by O’Reilly Media, Inc always comes in handy.