How do I run a dns
server with a zone for a local domain and be able to add dynamic entries to the dns
zone securely from selected hosts?
I have tried to setup a domain 'rag.local' with bind9. I have tried to add a new record to that zone using TSIG
. It works now. The steps are below.
Used dnssec to generate secret key for the zone
$ dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST rag.local
$ ls -l
-rw------- 1 rag rag 118 Mar 7 23:22 Krag.local.+157+26937.key
-rw------- 1 rag rag 229 Mar 7 23:22 Krag.local.+157+26937.private
Copied .key to /etc/bind
/etc/bind$ ls -lt
-rw-r--r-- 1 root bind 265 Mar 7 23:43 rag.local
-rw-r--r-- 1 root bind 435 Mar 7 23:35 named.conf.local
-rw------- 1 root bind 118 Mar 7 23:33 Krag.local.+157+26937.key
named.conf.local
/etc/bind$ cat named.conf.local
key "rag.local." {
algorithm hmac-md5;
secret "secret-key";
};
zone "rag.local" {
type master;
file "/etc/bind/rag.local";
allow-update { key "rag.local."; };
};
rag.local zone definition. EDIT: this file earlier did not have a valid name server and admin email for the zone. also the zone file missed an A record for the name server.
/etc/bind$ cat rag.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.rag.local. admin.rag.local. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.rag.local.
@ IN A 127.0.0.1
ns IN A 127.0.0.1
@ IN AAAA ::1
You may get some error like below if zone file is not valid
Mar 8 00:00:44 rag-tos-laptop named[20349]: zone rag.local/IN: journal rollforward failed: no more
Mar 8 00:00:44 rag-tos-laptop named[20349]: zone rag.local/IN: not loaded due to errors.
EDIT: after the zone file is corrected
Mar 8 00:23:43 rag-tos-laptop named[21469]: zone rag.local/IN: loaded serial 2
Mar 8 00:23:43 rag-tos-laptop named[21469]: zone localhost/IN: loaded serial 2
A sample nsupdate file
$ cat nsupdate.txt
server localhost
debug yes
zone rag.local.
update add host1.rag.local. 3600 A 10.20.30.40
show
send
Ran update
nsupdate -k Krag.local.+157+26937.private -v nsupdate.txt
Requires write permissions to bind
group on /etc/bind
to solve a few permissions issues.
Thanks
Best Answer
I have solved it:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com.
editing conf. file:
This is the step that you have to add
give the named authorization to the /var/named folder:
Note: after you have use nsupdate you need to reload the zone using this steps: