Bind Dynamic Update Key Generation
Posted By admin On 15.12.20Here's the quick and dirty: On BIND9 with a dynamic zone that's shared between views, doing a nsupdate, updating/creating/deleting a record will work fine if I query for that record from a client. Aug 08, 2012 Dynamic DNS with BIND and ISC DHCP SERVER I decided to write a HOWTO about RFC 2136 dynamic DNS updates with BIND DNS server and ISC DHCP server. Automatic registration of DHCP client hostnames to DNS is something that is almost taken for granted nowadays. However, there are not too many good. Sep 11, 2013 Since the dynamic updates are written to a separate file, it makes sense to store the entire hostname in a separate file. Make sure that bind9 can create new files in this directory: mkdir /etc/bind/updates chown bind:bind /etc/bind/updates. Add to /etc/bind/named.conf.local.
Sponsor
The file /path/to/Kdnsupdatekey.private looks like this:
To avoid making your entire production DNS subject to dynamic DNS updates, then for each certificate domain you want:
- In your main DNS infrastructure create a delegation:
_acme-challenge.<domain>. NS <your-nameserver>. - Create a new zone
_acme-challenge.<domain>on<your-nameserver>, with an empty zonefile (just an SOA and NS record), writeable by the nameserver - Create a new TSIG key:
dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname> - Enable dynamic updates on the
_acme-challenge.<domain>zone with this key
e.g. for bind9:
This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further.
An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script:
You then only need to create a single zone acme.mydomain.com which accepts dynamic DNS updates, but you will need to add static CNAMEs for _acme-challenge.<certname> pointing at _acme-challenge.<certname>.acme.mydomain.com for each certificate you want to issue.