-
Notifications
You must be signed in to change notification settings - Fork 1
How to Set Up Remote nsupdate
####Punch hole in firewall
Open firewall ports 53 for TCP and UDP between the two machines. iptables reference
####On any machine with BIND:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST name-of-your-zone-here
The word HOST is literal; do not replace it with something else. Your zone name might be something like hits-yourcompanyname. It does not need to be a resolvable domain name. It does need to match the name of the zone you will be updating with nsupdate.
ls -lthr will show you that two new files have been created ending in .key and .private, including the name of your zone within the file name and some other identifiers.
Copy these two files to both the machine with BIND that you plan to send updates to, and the machine(s) with nsupdate that you plan to send updates from. I chose /etc/bind/ to put them in.
####On the machine that will receive updates
#####Create /etc/bind/named.conf.keys
On the machine that will receive updates (where the zone file is hosted, the master location for the zone), create a file /etc/bind/named.conf.keys, containing:
key name-of-your-zone-here { algorithm HMAC-MD5; secret "COPY HASH FROM KEY FILE HERE"; };
#####Add an include line to your named.conf.local file such as:
include "/etc/bind/named.conf.keys";
#####Add or edit these sections within your zone definition in named.rpzones:
allow-update{ localhost; key hits-rsg; };
allow-query { nsupdaters; yourexistingstuff; };
"yourexistingstuff" is not something you should have in your named.rpzones file. It is an example meaning if you have stuff there, leave it and add the "nsupdaters; " within allow-query { };
#####Add a line to named.acl such as:
acl "nsupdaters" { 1.2.3.4/32; };
replacing 1.2.3.4 with the IP of the machine that will be sending the nsupdate commands.
###Restart BIND
Restart BIND and monitor the log to see if everything is ok. (Shift-F in less will jump to the end, ctrl-C will stop tailing and allow you to scroll back up and look for the point where BIND restarted)
/etc/init.d/bind9 restart;less /var/log/named/named.log
Your log name and location may be different.
Test and watch the logs the ddns logging channel points to on the machine receiving nsupdates.
#####Not yet researched possible clarifying references