Bind: dnssec update

Note

This is just a quick reference guide, have a look at more complete guides if you don’t know much about this..

Let’s assume we want to allow updating entries in the mydomain.tld zone.

The procedure has been successfully used on Debian 6 “squeeze”.

Generate keys

Generate keypair for authenticating the DNSSEC update:

dnssec-keygen -a HMAC-SHA512 -b 512 -n USER admin.mydomain.tld

Configure Bind

File /etc/bind/keys.conf:

key admin.mydomain.tld. {
    algorithm HMAC-SHA512;
    secret "PEMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy==";
};

File /etc/bind/named.conf.local:

include "/etc/bind/keys.conf";

zone "mydomain.tld" {
    type master;
    file "/etc/bind/db.mydomain.tld";
    allow-update {
        key admin.mydomain.tld.;
    };
};

Issue DNSSEC updates

File /tmp/dnssec-update.txt:

server localhost
zone r3dbool.local
update delete test-dnssec.mydomain.tld A
update add test-dnssec.mydomain.tld 3600 A 10.11.12.13
show
send

Issue the update:

nsupdate -k Kadmin.mydomain.tld.+157+46947.private -v /tmp/dnssec-update.txt

Check:

# host test-dnssec.mydomain.tld 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

test-dnssec.mydomain.tld has address 10.11.12.13

Credits

• http://linux.yyz.us/nsupdate/
• http://linux.yyz.us/dns/ddns-server.html

comments powered by Disqus