Secure dynamic DNS howto notes for RHEL5
Table of Contents
The must read Secure dynamic DNS howto has all the steps you need to set up DDNS updates with BIND.
What follows are some very terse notes for RHEL5, highlighting steps not directly obvious from that howto.
name of the key
Whenever you need to choose a keyname, take the fqdn of the DHCP server, with a trainign dot! e.g dhcp-server.example.com.
allowing the dhcp server to not update more than expected
If my reading of DNS and BIND (5th Edition) was correct, then the following update policies are as tight as can be. Obviously, somewhere earlier in /etc/named.conf there is a section defining the key dhcp-server.example.com. which I will not paste here. For the forward zone I used this
zone "wlan.example.com." {
type master;
file "named.wlan.example.com";
update-policy {
grant dhcp-server.example.com. wildcard *.wlan.example.com. A TXT;
};
};
While for the reverse zone I used
zone "2.168.192.in-addr.arpa." {
type master;
file "named.192.168.2";
update-policy {
grant dhcp-server.example.com. wildcard *.2.168.192.in-addr.arpa. PTR;
};
};
SELinux
As BIND will now be modifying it’s own files, you need to allow this
setsebool -P named_write_master_zones 1
see the RHEL6 documentation for more details.
logging
logfile should go to the data subdirectory
logging {
// for logging see
// from: http://www.netadmintools.com/part233.html
// and: http://www.netadmintools.com/html/5named.conf.man.html
channel default_debug {
file "data/named.run";
severity dynamic;
};
category dnssec { security_log; };
category update { security_log; };
category security { security_log; };
channel security_log {
file "data/dns-security.log" versions 5 size 20m;
// every time the log grows over 20 Mbyte, it will
// backup and rollover. Maximum 5 backups will be kept.
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
Yes, all of the above is not sufficient for you to copypasta a config together, that is intended. Read the Secure dynamic DNS howto, it is much better written and has more depth than I could ever provide in a quick braindump.