Categories: braindump

Secure dynamic DNS howto notes for RHEL5

Table of Contents

The must read Secure dynamic DNS howto has all the steps you need to set up DDNS updates with BIND.

What follows are some very terse notes for RHEL5, highlighting steps not directly obvious from that howto.

name of the key

Whenever you need to choose a keyname, take the fqdn of the DHCP server, with a trainign dot! e.g dhcp-server.example.com.

allowing the dhcp server to not update more than expected

If my reading of DNS and BIND (5th Edition) was correct, then the following update policies are as tight as can be. Obviously, somewhere earlier in /etc/named.conf there is a section defining the key dhcp-server.example.com. which I will not paste here. For the forward zone I used this

zone "wlan.example.com." {
    type master;
    file "named.wlan.example.com";
    update-policy {
        grant dhcp-server.example.com. wildcard *.wlan.example.com. A TXT;
    };
};

While for the reverse zone I used

zone "2.168.192.in-addr.arpa." {
    type master;
    file "named.192.168.2";
    update-policy {
        grant dhcp-server.example.com. wildcard *.2.168.192.in-addr.arpa. PTR;
    };
};

SELinux

As BIND will now be modifying it’s own files, you need to allow this

setsebool -P named_write_master_zones 1

see the RHEL6 documentation for more details.

logging

logfile should go to the data subdirectory

logging {
        // for logging see
        // from: http://www.netadmintools.com/part233.html
        // and:  http://www.netadmintools.com/html/5named.conf.man.html
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        category dnssec   { security_log; };
        category update   { security_log; };
        category security { security_log; };

        channel security_log {
            file "data/dns-security.log" versions 5 size 20m;
                // every time the log grows over 20 Mbyte, it will
                // backup and rollover. Maximum 5 backups will be kept.
            print-time yes;
            print-category yes;
            print-severity yes;
            severity info;
        };

Yes, all of the above is not sufficient for you to copypasta a config together, that is intended. Read the Secure dynamic DNS howto, it is much better written and has more depth than I could ever provide in a quick braindump.

Related