On Fri, 2010-12-31 at 09:56 +0200, Mark Elkins wrote: > I do this for my Laptops. They can pick up an address from the local > network (where ever I am visiting, Airports, Data Centers, friends, work > - etc) and then update the info back home on my own network. > > Basics - when DHCPCD gets an IP from upstream - it uses nsupdate to send > this info to a dynamic zone hosted on your side. > Problems: The zone on your side needs to be dynamic - so should be > separate from your normal "static" zone, The comms should really be > secure - so you're going to learn a little about dnssec-keygen and > signatures.
In a follow-up to this - see the attached HowTo.... -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ [email protected] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
Howto
-----
This is a Howto that describes how to have a mobile PC (my laptop -
running linux) automaticaly update its IP address according to where
it is.
For this exercise - My PC is called "linux-pc"
My home Domain is "example.com" - and dynamic entries in this domain will
be stored in the domain "dhcp.example.com" and CNAME-d to make them work.
On the "mobile Linux PC".
Choose a directory on which to 'install' the authentication system - eg:
/etc/remote-dns-update
Do the following work in that directory.
Create a SIG(0) Key with the command:-
dnssec-keygen -r <RandomDevice> -a RSASHA1 -b 1024 -T KEY -n HOST <Keyname>
I use...
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -T KEY -n HOST linux-pc.dhcp.example.com
'keyname' for the PC should be the name of the PC - ie: ilinux.dhcp.posix.co.za
I use /dev/urandom for RandomDevice - its only pseudo random - but works quickly.
The Default is /dev/random - but unless there is enough available 'entropy', will make
generating the key take a long time.
Note: Older versions of "dnskey-keygen" may use "-k" instead of "-T KEY"
This generates two files:-
Klinux-pc.dhcp.example.com.+005+25237.key
Klinux-pc.dhcp.example.com.+005+25237.private
ON THE DNS SERVER - create a new zone by the name of "dhcp.example.com"
It needs the usual SOA and NS records.
Add in an entry for your Pc....
Add in the info from "Klinux-pc.dhcp.example.com.+005+25237.key" - which looks something like..
linux-pc.dhcp.example.com. IN KEY 512 3 5 AwEAAaR.....lots of Armoured ASCII Stuff....Wv5iHnBl
linux-pc IN A 1.2.3.4
linux-pc IN KEY 512 3 5 AwEAAaR.....lots of Armoured ASCII Stuff....Wv5iHnBl
Modify your named.conf to include an update policy:-
zone "dhcp.example.com" {
type master;
file "db.dhcp.example.com";
update-policy {
grant * self * A TXT KEY;
};
max-journal-size 32k;
};
Delegate this new sub-zone from the parent "example.com" - something like...
dhcp IN NS dns1.example.com.
IN NS dns2.example.com.
Add a CNAME for your Mobile linux PC...
linux-pc IN CNAME linux-pc.dhcp.example.com.
Restart named (rndc recnfig; rndc reload) - check its running - etc.
Now - a DIG of "linux-pc.example.com" should follow the CNAME into the
dhcp.example.com zone and return the current IPv4 address of 1.2.3.4
Back on the Mobile Linux PC....
You need a new "hook" to run when your Linux PC picks up a new IP address via DHCP.
My DHCP Hooks live in "/lib64/dhcpcd/dhcpcd-hooks" - try "locate dhcpcd-hooks".
In that directory - I created... "90-set-remote-name" and it contains...
--------------------------------------------------------------
# Set the ip for this host back home
TTL=600 # TTL of updated RR
SERVER=dns1.example.com # IP address of nameserver
ZONE=dhcp.example.com # zone to update
HOSTNAME=linux-pc.dhcp.example.com # domainname to update
KEYDIR=/etc/remote-dns-update # Key store directory
KEYNAME=Klinux-pc.dhcp.example.com.+005+25237 # The key in use
KEYFILE=$KEYDIR/$KEYNAME
set_myip()
{
cd $KEYDIR
nsupdate -v -k $KEYFILE <<E_O_F
server $SERVER
zone $ZONE
update delete $HOSTNAME A
update add $HOSTNAME $TTL A ${new_ip_address}
update delete $HOSTNAME TXT
update add $HOSTNAME $TTL TXT "Remote Update @ $(date)"
send
E_O_F
if [ $? -eq 0 ] ; then
echo "Successfully update IP ${new_ip_address} on $SERVER to $HOSTNAME"
else
echo "Failed to update IP ${new_ip_address} on $SERVER to $HOSTNAME"
fi
}
case "${reason}" in
BOUND|INFORM|REBIND|REBOOT|RENEW|TIMEOUT) set_myip;;
esac
--------------------------------------------------------------
Make this executable - try asking for a new DHCP lease..
# dhcpcd -k eth0; dhcpcd eth0
The files called "Klinux-pc.dhcp.example.com.+005..." need to be in the
directory $KEYDIR (/etc/remote-dns-update) which is why we also "cd"
to that directory in the above script - so "nsupdate" can find them and
sign the transaction.
Changes to the zone "dhcp.example.com" are held in a journal file.
To see changes to the zone, you must freeze (then thaw) that zone..
# rndc freeze dhcp.example.com; rndc thaw dhcp.example.com
Thats all folks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
