Quick dynamic DNS?
Grant Taylor
gtaylor at tnetconsulting.net
Thu Dec 24 20:46:25 UTC 2020
On 12/24/20 8:48 AM, @lbutlr wrote:
> That is what example.com always is, yes.
Sorry. I'm so used to people not using documentation domains that I
double check that they aren't actually trying to literally use
documentation domains internally.
It's a refreshing change to see documentation domains / IPs / networks
used properly.
I tip my hat to you.
> As I said, it is authoritative for example.com.
ACK
> Yep.
>
> No, I just want my bind server to get updated with the external IP
> of my home connection when it changes and update the A pointer.
Okay. IMHO that's relatively easy to do. See Stanley's reply as it
seems quite good.
About the only thing that I'd do differently is to use update-policy {
... } "grant" statements to more granularly control what the key can
update. E.g. allow it to /only/ update A and / or AAAA records for the
home.example.com name and nothing else.
An alternative to grant statements is to use a CNAME to yourself in a
different sub-domain where you have carte blanch access to update. But,
seeing as how the CNAME will reference explicitly one name, you have
less of a security risk in the alias domain. E.g. home.example.com ->
home.client1.ddns.example.com. Then give each client the ability to
update it's client#.ddns.example.com sub-doimain.
> I just want to update the IP address in a single A record.
IMHO that makes this almost trivial once you know how to do it.
> Possibly, though that is certainly part of what I am asking.
*nod*nod*
> But the bind server doesn't know the new IP address?
SSH from rPI to bind9 and remotely run a command. Possibly extracting
the IP from the SSH_{CLIENT,CONNECTION} environment variable. ;-)
> As I said. The bind server is at example.com. It is authoritative
> for example.com (and several other domains as well).
*nod*nod*nod*
I expect that many on this list have such systems at their disposal. }:-)
> At home I have a connection to an ISP and that connection MAY change
> since it is in a DHCP pool. I want to be able to updated my DNS server
> so that "home.example.com" points to my home IP address.
Typical and quintessential use case.
> I have done this in the past with various dynamic DNS services (like
> DynDNS) where their software client would automatically update a custom
> subdomain of one of their domains like homeftp.net (the have many and
> which one isn't relevant) and then on the Bind server I would have,
> for example, in example.com,
>
> home CNAME lbutlr.homeftp.net. #example name, not real dynDNS
> address)
>
> When the client updated my IP address, bind would simply relay
> connections to home.exmple.com to lbutlr.homeftp.net regardless of
> what the IP address was.
>
> What I want to do is eliminate the 3rd party service and client so
> that the bind server can simply have:
>
> home A 12.34.56.789 # obvs not a real IP
Aw ... no Test-Net IPs? :-P
IMHO what you're wanting to do is quite doable with a little bit of
knowledge and trial and error. See Stanley's email for more details on
said knowledge.
The only parting thoughts I'll add is that I don't know if TSIG keys are
sufficiently secure, or if there is a better option. I've not looked in
a while. -- I personally tend to isolate what can be changed with
grant statements and consider it good enough. -- This is also where
remotely executing nsupdate through SSH sort of elides this issue and
makes things somewhat simpler.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201224/132f0c40/attachment.bin>
More information about the bind-users
mailing list