I can't speak to the security of this, although it doesn't look like there's
any authentication going on.
2 little things I learned about nsupdate (you may already know these) are -d
(debug) and -v (TCP rather than UDP). Those may be helpful in tracking
what's being sent/received at the logging and packet levels. (As mentioned
in other threads, use Ethereal for a nice, capable packet capture and
analysis tool. I can help you with that if you're into it. I think it's
fun, but then again, I'm a geek.) :-)
Even if you are stuck doing explicit removals of the old IP address, it
looks like the DHCP clients of today (dhcpcd for sure) keep track of the old
address as well as the new address as a shell variable, so you could still
script the removal step.
The nice part about firing it from /etc/dhcpc/dhcpcd_e.exe is that if it is
being executed, it's because the IP *has* changed. Therefore, in
pseudo-code, you just need to do the nsupdate parts:
#!/bin/sh
echo "(dhcpcd) IP address changed to $1" | logger
<path to script(s) that:>
remove the old nsupdate command script
create a new nsupdate command script using the new IP
run nsupdate ("nsupdate myScriptFile")
I think. Correct me if I'm wrong. Or it doesn't work. I just come up with
the ideas. :-D lol
Curtis.
-----Original Message-----
From: Shawn Grover [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 12, 2003 10:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: (clug-talk) Dynamic DNS help?
Curtis wrote:
>1) The Win2K DNS implementation and BIND can talk, but you can't use Active
>Directory integrated DNS zones (the easiest), and it takes some
configuring.
> - That is worth learning, just for fun. :-D
>2) Keeping your AD info on your router would be a scary security practice,
>unless you've got Win2K, AD, BIND, router, host, and network security all
>sewn up. :-D
> - This may not be a concern for you, but no compromise is a good
>compromise. :-D
>
>If you do dive into this, Shawn, please let me know, I'd love to track
along
>with you.
yep, now that things are working more or less the way they should, I'll
abandon the idea of using BIND for the MS Active Directory. Probably more
headache than I really want/need - I need to get my site operational now
(get rid of the ugly rocket).
>That file (from my reading, needs testing) gets fired every time the IP
>changes, and not even at startup if the IP has not changed.
>
>Here are the contents by default (Slackware 8.1):
>
>#!/bin/sh
>echo "(dhcpcd) IP address changed to $1" | logger
>
>So ideally, all you'd have to do is add the appropriate nsupdate commands
>after that and feed it the $1 variable:
>
>#!/bin/sh
>echo "(dhcpcd) IP address changed to $1" | logger
>server srns1.superreal.net
>prereq yxdomain open2space.com
>update delete open2space.com
>update add open2space.com 900 in a $1
>update add open2space.com 900 in mx 10 $1
>server srns1.superreal.net
>prereq nxdomain www.open2space.com
>update add www.open2space.com 900 cname open2space.com
this won't work quite like this, though you're on the right track. We would
need the nsupdate commands written out to a file, then pass that file to
nsupdate. I don't know the scripting language well enough yet to do this
(I'll have to dig out a book from the library at work). So in pseudo-code,
the routine would go something like so:
if the ip address has changed
remove the old nsupdate command script
create a new nsupdate command script using the new IP
run nsupdate ("nsupdate myScriptFile")
end if
The catch I encountered was that the line "update delete open2space.com" is
supposed to clear all resource record entries for the domain, but doesn't.
So, I had to do something like "update delete open2space.com in a x.x.x.x"
where the x.x.x.x is the old IP. The addition of the new IP can be before
or after this command, but the old IP has to be explitly removed. (should
mention though that this could just be the way my DNS host is setup...)
Can anyone speak to the security of this? Can just anyone do an nsupdate on
my domain? I know nsupdate supports signature files, which can make it
secure, but without the sig files is there any provision for security?
Shawn
