Re: Quick dynamic DNS?
See draft-ietf-dnssd-srp -- Mark Andrews > On 25 Dec 2020, at 12:22, Grant Taylor via bind-users > wrote: > > On 12/24/20 3:05 PM, Mark Andrews wrote: >> TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones. > > Thank you for the follow up Mark. > > It's good to know that they are secure mechanisms. > > With all the churn in the TLS space, I can't keep up with it, much less have > any idea how the concepts cross pollinate to other things. > >> MacOS uses TSIG to update the DNS. >> Windows uses GSS-TSIG in active directory. > > *nod* > > Jan-Piet Mens has a good article on this. > >> SIG(0) is in future work for home net updating records added on a first come >> basis. It can also be used to update records added by other means as long >> as the KEY records where added at the same time. > > Would you please elaborate what you mean by "on a first come basis"? Is it > simply the first person to put a KEY record, or someone that has knowledge > there of? > > Thank you for enlightening me. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 12/24/20 3:05 PM, Mark Andrews wrote: TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones. Thank you for the follow up Mark. It's good to know that they are secure mechanisms. With all the churn in the TLS space, I can't keep up with it, much less have any idea how the concepts cross pollinate to other things. MacOS uses TSIG to update the DNS. Windows uses GSS-TSIG in active directory. *nod* Jan-Piet Mens has a good article on this. SIG(0) is in future work for home net updating records added on a first come basis. It can also be used to update records added by other means as long as the KEY records where added at the same time. Would you please elaborate what you mean by "on a first come basis"? Is it simply the first person to put a KEY record, or someone that has knowledge there of? Thank you for enlightening me. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones.
MacOS uses TSIG to update the DNS.
Windows uses GSS-TSIG in active directory.
SIG(0) is in future work for home net updating records added on a first come
basis. It can also be used to update records added by other means as long as
the KEY records where added at the same time.
--
Mark Andrews
> On 25 Dec 2020, at 07:46, Grant Taylor via bind-users
> wrote:
>
> On 12/24/20 8:48 AM, @lbutlr wrote:
>> That is what example.com always is, yes.
>
> Sorry. I'm so used to people not using documentation domains that I double
> check that they aren't actually trying to literally use documentation domains
> internally.
>
> It's a refreshing change to see documentation domains / IPs / networks used
> properly.
>
> I tip my hat to you.
>
>> As I said, it is authoritative for example.com.
>
> ACK
>
>> Yep.
>> No, I just want my bind server to get updated with the external IP of my
>> home connection when it changes and update the A pointer.
>
> Okay. IMHO that's relatively easy to do. See Stanley's reply as it seems
> quite good.
>
> About the only thing that I'd do differently is to use update-policy { ... }
> "grant" statements to more granularly control what the key can update. E.g.
> allow it to /only/ update A and / or records for the home.example.com
> name and nothing else.
>
> An alternative to grant statements is to use a CNAME to yourself in a
> different sub-domain where you have carte blanch access to update. But,
> seeing as how the CNAME will reference explicitly one name, you have less of
> a security risk in the alias domain. E.g. home.example.com ->
> home.client1.ddns.example.com. Then give each client the ability to update
> it's client#.ddns.example.com sub-doimain.
>
>> I just want to update the IP address in a single A record.
>
> IMHO that makes this almost trivial once you know how to do it.
>
>> Possibly, though that is certainly part of what I am asking.
>
> *nod*nod*
>
>> But the bind server doesn't know the new IP address?
>
> SSH from rPI to bind9 and remotely run a command. Possibly extracting the IP
> from the SSH_{CLIENT,CONNECTION} environment variable. ;-)
>
>> As I said. The bind server is at example.com. It is authoritative for
>> example.com (and several other domains as well).
>
> *nod*nod*nod*
>
> I expect that many on this list have such systems at their disposal. }:-)
>
>> At home I have a connection to an ISP and that connection MAY change since
>> it is in a DHCP pool. I want to be able to updated my DNS server so that
>> "home.example.com" points to my home IP address.
>
> Typical and quintessential use case.
>
>> I have done this in the past with various dynamic DNS services (like DynDNS)
>> where their software client would automatically update a custom subdomain of
>> one of their domains like homeftp.net (the have many and which one isn't
>> relevant) and then on the Bind server I would have, for example, in
>> example.com,
>> homeCNAME lbutlr.homeftp.net. #example name, not real dynDNS address)
>> When the client updated my IP address, bind would simply relay connections
>> to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address
>> was.
>> What I want to do is eliminate the 3rd party service and client so that the
>> bind server can simply have:
>> homeA12.34.56.789 # obvs not a real IP
>
> Aw ... no Test-Net IPs? :-P
>
> IMHO what you're wanting to do is quite doable with a little bit of knowledge
> and trial and error. See Stanley's email for more details on said knowledge.
>
> The only parting thoughts I'll add is that I don't know if TSIG keys are
> sufficiently secure, or if there is a better option. I've not looked in a
> while. -- I personally tend to isolate what can be changed with grant
> statements and consider it good enough. -- This is also where remotely
> executing nsupdate through SSH sort of elides this issue and makes things
> somewhat simpler.
>
>
>
> --
> Grant. . . .
> unix || die
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 12/24/20 8:48 AM, @lbutlr wrote:
That is what example.com always is, yes.
Sorry. I'm so used to people not using documentation domains that I
double check that they aren't actually trying to literally use
documentation domains internally.
It's a refreshing change to see documentation domains / IPs / networks
used properly.
I tip my hat to you.
As I said, it is authoritative for example.com.
ACK
Yep.
No, I just want my bind server to get updated with the external IP
of my home connection when it changes and update the A pointer.
Okay. IMHO that's relatively easy to do. See Stanley's reply as it
seems quite good.
About the only thing that I'd do differently is to use update-policy {
... } "grant" statements to more granularly control what the key can
update. E.g. allow it to /only/ update A and / or records for the
home.example.com name and nothing else.
An alternative to grant statements is to use a CNAME to yourself in a
different sub-domain where you have carte blanch access to update. But,
seeing as how the CNAME will reference explicitly one name, you have
less of a security risk in the alias domain. E.g. home.example.com ->
home.client1.ddns.example.com. Then give each client the ability to
update it's client#.ddns.example.com sub-doimain.
I just want to update the IP address in a single A record.
IMHO that makes this almost trivial once you know how to do it.
Possibly, though that is certainly part of what I am asking.
*nod*nod*
But the bind server doesn't know the new IP address?
SSH from rPI to bind9 and remotely run a command. Possibly extracting
the IP from the SSH_{CLIENT,CONNECTION} environment variable. ;-)
As I said. The bind server is at example.com. It is authoritative
for example.com (and several other domains as well).
*nod*nod*nod*
I expect that many on this list have such systems at their disposal. }:-)
At home I have a connection to an ISP and that connection MAY change
since it is in a DHCP pool. I want to be able to updated my DNS server
so that "home.example.com" points to my home IP address.
Typical and quintessential use case.
I have done this in the past with various dynamic DNS services (like
DynDNS) where their software client would automatically update a custom
subdomain of one of their domains like homeftp.net (the have many and
which one isn't relevant) and then on the Bind server I would have,
for example, in example.com,
home CNAME lbutlr.homeftp.net. #example name, not real dynDNS
address)
When the client updated my IP address, bind would simply relay
connections to home.exmple.com to lbutlr.homeftp.net regardless of
what the IP address was.
What I want to do is eliminate the 3rd party service and client so
that the bind server can simply have:
homeA 12.34.56.789 # obvs not a real IP
Aw ... no Test-Net IPs? :-P
IMHO what you're wanting to do is quite doable with a little bit of
knowledge and trial and error. See Stanley's email for more details on
said knowledge.
The only parting thoughts I'll add is that I don't know if TSIG keys are
sufficiently secure, or if there is a better option. I've not looked in
a while. -- I personally tend to isolate what can be changed with
grant statements and consider it good enough. -- This is also where
remotely executing nsupdate through SSH sort of elides this issue and
makes things somewhat simpler.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
What you want is a program on the rPI that will query the internet to find what
the current outside address is and then send that to the bind9 server.
There are several ways of doing this.
1) Use a service and have a CNAME pointing to the DNS entry of the service.
Some examples:
https://www.dynu.com/DynamicDNS/IPUpdateClient/RaspberryPi-Dynamic-DNS
http://www.darwinbiler.com/dynamic-dns-using-raspberry-pi/
2) Use a custom script that will use ntpupdate to update a dynamic zone on the
bind9 server. This is what I have done.
The script first queries the outside world for the ip address and then builds a
nsupdate command set to send to the server. I am doing this on a CentOS box,
but it should work on a rPI. I do use a key to prevent others from updating
this record.
script
———
#!/bin/bash
# Servers: http://dynupdate.no-ip.com/ip.php, http://www.antedes.com/getip.php,
..?
# Less straifghtforward: http://checkip.dyndns.org/, ...
IPS=http://dynupdate.no-ip.com/ip.php
DNSP=/home/demouser/DNS_KEY
# First, retrieve IP address
CURIP=`curl -s $IPS | awk '{ print $1 }'`
OLDIP=`cat $DNSP/oldip`
echo $OLDIP
# Compare to previously saved IP
[ "$CURIP" == "$OLDIP" ] && exit
echo $CURIP > $DNSP/oldip
echo `date` $CURIP >> $DNSP/oldips
echo $CURIP
# If different, tell DNS
echo "server mybind9serverIP" > $DNSP/zone
echo "zone dyn.example.com" >> $DNSP/zone
echo "update delete rpi.dyn.example.com. A" >> $DNSP/zone
echo "update add rpi.dyn.example.com. 3600 A $CURIP" >> $DNSP/zone
echo "show" >> $DNSP/zone
echo "send" >> $DNSP/zone
echo "before nsupdate"
/usr/bin/nsupdate -k $DNSP/Krpi.dyn.example.com.+157+02083.private $DNSP/zone
IN external
-
bind config entry
zone “dyn.example.com" {
type master;
file "master/external/dyn.example.com";
allow-update {key rpi.dyn.example.com.; };
inline-signing yes;
auto-dnssec maintain;
key-directory "/keys/dyn.example.com/";
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 23 Dec 2020, at 21:23, Grant Taylor via bind-users wrote: > On 12/23/20 6:53 PM, @lbutlr wrote: >> Give that I have a authoritative bind9 server for example.com and given that >> I have a home connection that is (technically) dynamic home.example.com what >> is the easiest way for me to automatically update the DNS on the rare >> occasions that it changes? > > I assume: > > 1) That example.com is a stand in for the real domain name(s) That is what example.com always is, yes. > 2) Your bind9 server is somewhere on the Internet As I said, it is authoritative for example.com. > 3) You are asking how to dynamically update it to change where > home.example.com resolves to. Yep. >> The example.com domain is setup with DNSSEC and the home connection has a >> rPI already acting as an unbound/piHole server, if that helps. > > Are you wanting to do some sort of zone transfer from the rPI to BIND? No, I just want my bind server to get updated with the external IP of my home connection when it changes and update the A pointer. > Is home.example.com public or private? Can the world query it? The world can reach my home connection, but no the world cannot send DNS queries to it since it does not run an external DNS server (unbound is just a catching server, piHole is a DNS blocker that prevents LAN machines from reaching known bad hosts). >> I used to use a dynamic DNS service, but I figure I have the tools available >> to do this all myself. What am I doing right now is just manually changing >> the IP. > > ACK > > I'm going to further assume: > > 4) That you have home.example.com delegated to the rPI at your house. No, I just have home.example.com as a A record the points to my home IP address. There is no delegations and no subdomains for home.example.com. > 5) That you want to dynamically update this delegation. I just want to update the IP address in a single A record. > You can use BIND's support for Dynamic DNS across the Internet. (I can't > speak to the security of such.) I assume that you will be using something > like TSIG keys or Kerberos to authenticate your Dynamic DNS updates. > (Possibly even a VPN or the likes.) Possibly, though that is certainly part of what I am asking. > Or you can use nsupdate on the system hosting your public BIND DNS server. But the bind server doesn't know the new IP address? > Please clarify where the Dynamic DNS client will be in comparison to the BIND > DNS server. Then we can get into the minutia of how to go about things. As I said. The bind server is at example.com. It is authoritative for example.com (and several other domains as well). At home I have a connection to an ISP and that connection MAY change since it is in a DHCP pool. I want to be able to updated my DNS server so that "home.example.com" points to my home IP address. I have done this in the past with various dynamic DNS services (like DynDNS) where their software client would automatically update a custom subdomain of one of their domains like homeftp.net (the have many and which one isn't relevant) and then on the Bind server I would have, for example, in example.com, homeCNAME lbutlr.homeftp.net. #example name, not real dynDNS address) When the client updated my IP address, bind would simply relay connections to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address was. What I want to do is eliminate the 3rd party service and client so that the bind server can simply have: homeA 12.34.56.789 # obvs not a real IP -- I went to a restaurant that serves "breakfast at any time". So I ordered French Toast during the Renaissance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
