Re: [Dnsmasq-discuss] Dynamic DNS Updates via TSIG?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 22/01/15 21:03, John Connett wrote: I have a router running OpenWrt (BarrierBreaker 14.07) with dnsmasq (2.71-4). I would like to use Dynamic DNS Updates via TSIG as offered by Dyn: http://dyn.com/apps/updater/tsig/ How can I do this with dnsmasq? Sorry, no. TBH, the sensible thing to do here would be to move to a bigger DNS server like BIND. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUxiR1AAoJEBXN2mrhkTWili0P/jB/ViTJQ65DN825CL/a4v1F kCTMTkB6/COdXuf3hL+dJEfCjJSHDO1ZtdeqMEidNIrCUpDeXGv2yGxgww1voV2G WcI3hzPF1jay4JdCVdKeebCvvrBmeWSirvV7XDAd+DwmEq/AyCzvZgMMKPVdmv6a SHr1GBo2haa8pbTekVbnO1UxF8h9NT7qbPCOeCD4VQ44mgF4inmJ3dkgCXE7EB8N Ao1WO6sZZEbm77jgST6TT0lP6zFvLM47OvaxMtf+TeIsuuk7BEg7e6iU6UR3Jor7 W8UncYkhXjLMcripMbFqFWTXDA0XlKbc06pgEXmclTpMt9f5AxFMtuZJZUIKonNL 0aU33SsV7kb9tRZ5jfMBLoKtLs6B2p6LUGmwK3WC8cp/ZOEUVWZurEACk0m4/WqQ d5p60N7jmABd4XVHWYS+hfNbhTPWyiy1FPk/SVlJKe+ichPNwCQe3o5DV1PobXh/ temaTSS1yTi+n8bOokWhM0DiB0ypqjZWInEjXxQH270mNcH1bVTXSrlJl5Pd8HTW NmpfLbyen+F63b1W6Md9fuG71pZUxQTeRgG4z4mdFAUosQuXrbFkM6uHlNT9gZir mDhK2O9SW/xlwHiR9hs2UeC5YfMHbTTpyjpYmoggLEbaAYzt08gdMvjvB8nncfvb Hhh7L4ab8erkkBDvwkoh =56QI -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dynamic DNS
On Mon, Jun 28, 2010 at 11:14 AM, Don Muller d...@djmuller.com wrote: Why not run a Microsoft DNS server? It?ll save you the hassle of manual work. Don Hi Don, I have a fairly large setup running in production, and use dnsmasq for DNS, DHCP and PXE. Replacing it for Microsoft DNS server is a much larger piece of work than manually installing AD, and I'm not sure if the results would be worth it. If manually installing AD doesn't work we will try other single sign on mechanisms before considering migration, we actually like dnsmasq :) Many thanks all for your help, Alberto Cuesta-Canada GaaS Team Lead Excelian Ltd. +44 (0) 7942633361 The information contained in this email and any attached files are confidential and intended solely for the addressee(s). The email may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the named addressee you may not use, copy, or disclose this information to any other person. If you received this message in error please notify the sender immediately and delete it from your system. Any opinion or views contained in this email message are those of the sender, and do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated, this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Excelian 50 Featherstone Street London EC1Y 8RT Tel: +44 (0) 20 7336 9595 Fax: +44 (0) 20 7336 9596 www.Excelian.com _ This e-mail has been scanned for viruses by MessageLabs. For further information visit http://www.messagelabs.com Excelian subscribes to cleaner and greener methods of working. Help take responsibility for the environment. Please don't print this email unless you absolutely have to.
Re: [Dnsmasq-discuss] Dynamic DNS
Thanks Simon, time to roll up my sleeves and start doing it manually :) Alberto Cuesta-Canada GaaS Team Lead Excelian Ltd. +44 (0) 7942633361 From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Mon 28/06/2010 16:23 To: Alberto Cuesta-Canada Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Dynamic DNS Alberto Cuesta-Canada wrote: So my question should have been: Is RFC2136 supported or in the roadmap? (And a no for an answer is perfectly understood, the simplicity of dnsmasq is something to be safeguarded). and the answer is no, for precisely the reason you give, and because the main use of dynamic DNS (updates from a DHCP server) is covered instead by dnsmasq DNS-DHCP integration. Cheers, Simon. The information contained in this email and any attached files are confidential and intended solely for the addressee(s). The email may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the named addressee you may not use, copy, or disclose this information to any other person. If you received this message in error please notify the sender immediately and delete it from your system. Any opinion or views contained in this email message are those of the sender, and do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated, this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Excelian 50 Featherstone Street London EC1Y 8RT Tel: +44 (0) 20 7336 9595 Fax: +44 (0) 20 7336 9596 www.Excelian.com _ This e-mail has been scanned for viruses by MessageLabs. For further information visit http://www.messagelabs.com Excelian subscribes to cleaner and greener methods of working. Help take responsibility for the environment. Please don't print this email unless you absolutely have to.
Re: [Dnsmasq-discuss] Dynamic DNS
Why not run a Microsoft DNS server? It'll save you the hassle of manual work. Don From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Alberto Cuesta-Canada Sent: Monday, June 28, 2010 11:28 AM To: Simon Kelley Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Dynamic DNS Thanks Simon, time to roll up my sleeves and start doing it manually :) Alberto Cuesta-Canada GaaS Team Lead Excelian Ltd. +44 (0) 7942633361 _ From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Mon 28/06/2010 16:23 To: Alberto Cuesta-Canada Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Dynamic DNS Alberto Cuesta-Canada wrote: So my question should have been: Is RFC2136 supported or in the roadmap? (And a no for an answer is perfectly understood, the simplicity of dnsmasq is something to be safeguarded). and the answer is no, for precisely the reason you give, and because the main use of dynamic DNS (updates from a DHCP server) is covered instead by dnsmasq DNS-DHCP integration. Cheers, Simon. The information contained in this email and any attached files are confidential and intended solely for the addressee(s). The email may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the named addressee you may not use, copy, or disclose this information to any other person. If you received this message in error please notify the sender immediately and delete it from your system. Any opinion or views contained in this email message are those of the sender, and do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated, this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Excelian 50 Featherstone Street London EC1Y 8RT Tel: +44 (0) 20 7336 9595 Fax: +44 (0) 20 7336 9596 www.Excelian.com _ This e-mail has been scanned for viruses by MessageLabs. For further information visit http://www.messagelabs.com Excelian subscribes to cleaner and greener methods of working. Help take responsibility for the environment. Please don't print this email unless you absolutely have to.
Re: [Dnsmasq-discuss] Dynamic DNS
While dnsmasq can act as an overlay (respond to names it knows, forward requests *in the same domain* for unknown names), I don't think the Microsoft DNS server can do that. So you end up needing different subdomains for AD-joined computers from those that aren't, in order for every node to resolve every name properly. Something else to note is that the Microsoft DNS can act as the recursive server which dnsmasq requires. On Mon, Jun 28, 2010 at 11:14 AM, Don Muller d...@djmuller.com wrote: Why not run a Microsoft DNS server? It’ll save you the hassle of manual work. Don From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Alberto Cuesta-Canada Sent: Monday, June 28, 2010 11:28 AM To: Simon Kelley Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Dynamic DNS Thanks Simon, time to roll up my sleeves and start doing it manually :) Alberto Cuesta-Canada GaaS Team Lead Excelian Ltd. +44 (0) 7942633361 From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Mon 28/06/2010 16:23 To: Alberto Cuesta-Canada Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Dynamic DNS Alberto Cuesta-Canada wrote: So my question should have been: Is RFC2136 supported or in the roadmap? (And a no for an answer is perfectly understood, the simplicity of dnsmasq is something to be safeguarded). and the answer is no, for precisely the reason you give, and because the main use of dynamic DNS (updates from a DHCP server) is covered instead by dnsmasq DNS-DHCP integration. Cheers, Simon. The information contained in this email and any attached files are confidential and intended solely for the addressee(s). The email may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the named addressee you may not use, copy, or disclose this information to any other person. If you received this message in error please notify the sender immediately and delete it from your system. Any opinion or views contained in this email message are those of the sender, and do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated, this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Excelian 50 Featherstone Street London EC1Y 8RT Tel: +44 (0) 20 7336 9595 Fax: +44 (0) 20 7336 9596 www.Excelian.com _ This e-mail has been scanned for viruses by MessageLabs. For further information visit http://www.messagelabs.com Excelian subscribes to cleaner and greener methods of working. Help take responsibility for the environment. Please don't print this email unless you absolutely have to. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dynamic DNS
/dev/rob0 wrote:
FWIW, Alberto, Windows clients do speak 2136. I think they do it by
default, regardless of the type of nameserver they're contacting.
A confusing thing about Alberto's description is the apparent idea
that dnsmasq does not support dynamic DNS. On the contrary, that's
what it does, exceptionally well, by combining the DHCPd with the
nameserver. Dynamic DNS for DHCP clients is a strong point for
dnsmasq.
This might be a good idea! Dnsmasq allows to include files and reread
them when they are modified.
Option addn-hosts comes to mind: an update script might append/replace
records like some-IP some-Host in a file.
What good is such a drastic DNS operation when no authentication is
defined? Other than that the RFC reads like a stripped down version
of
Hmm? You can use dnssec-keygen(8) keys for authentication. I admit,
I don't know as practical a way to do it in the real world; DynDNS's
protocol and my HTTP+nsupdate hack are handy for associating one
user's records with one authentication credential.
DNSSEC is an entirely different beast. It is to generate key-signing-
and zone-signing keys for verifying DNS responses.
You propably meant ddns-confgen(8), which is used to TSIG authenticate
within a DNS operation. But the problem is not how to make a secure
key, /dev/random would be enough for that, but how to send it to some
agent.
That's why I think my HTTP+nsupdate hack was better than DynDNS's
protocol. No special client needed, just a web browser (or a
scriptable HTTP client like wget(1).)
Right.
I'm using a script whenever I get a new IP (${newip} in the script) from
the provider by DHCP:
#!/bin/sh
# bin/dyndns-update.sh
# _date: 20100222-1628_
#
# /l/etc/named.conf
# /etc/dhcpcd.exit-hook
# url:man:1 nsupdate
iam=${0##*/}
ex=0
usage=${iam}: use ${iam} zone ip
nsupdate=/usr/local/bin/nsupdate
nsupdate_opts=
nsupdate_opts=${nsupdate_opts} -l
nsupdate_opts=${nsupdate_opts} -k /usr/local/etc/bind9/tsig-update.key
zone=${1:?${usage}}
newip=${2:?${usage}}
spf1=v=spf1 ip4:${newip} a XXX XXX ~all
update_rr=
zone ${zone}
prereq yxdomain ${zone}
update delete ${zone} 300 IN A
update add ${zone} 300 IN A ${newip}
update delete ${zone} 3600 IN TXT
update add ${zone} 3600 IN TXT \${spf1}\
send
answer
echo ${update_rr} | ${nsupdate} ${nsupdate_opts}
ex=$?
exit ${ex}
and the key is made like this:
# ddns-confgen -k /l/etc/bind9/tsig-update.key -s XXX.eu.org
clemens
Re: [Dnsmasq-discuss] Dynamic DNS
On Thu, Jun 24, 2010 at 09:32:01PM +0200, clemens fischer wrote: /dev/rob0 wrote: On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote: are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl I don't understand all the desire to invent new protocols for dynamic DNS. RFC 2136 handles it quite well. If dnsmasq were to add another protocol, it should be RFC 2136. Dyndns.org's protocol is not a standard. Some years back, before I really understood 2136, I wrote a perl/CGI frontend for nsupdate(8) which does something similar without Clarification: if I had known then what I know now, I would have solved my issue by generating a key and using nsupdate(8) over the Internet, rather than HTTP. As per below, I do NOT know enough about 2136 to figure a way for it to scale. I'm not sure I understand enough about Alberto's issue to offer any suggestions, but perhaps the 2136/nsupdate idea would help. He mentioned in followup that a Kerberos-based authentication server might be under consideration, and that sounds promising. FWIW, Alberto, Windows clients do speak 2136. I think they do it by default, regardless of the type of nameserver they're contacting. A confusing thing about Alberto's description is the apparent idea that dnsmasq does not support dynamic DNS. On the contrary, that's what it does, exceptionally well, by combining the DHCPd with the nameserver. Dynamic DNS for DHCP clients is a strong point for dnsmasq. exposing another root-owned TCP socket to the world. By means of permissions on a copy of the key, I was able to allow the httpd(8) user to run nsupdate after authenticating the user. I just skimmed through RFC 2136. From a practical standpoint, it has a serious flaw in sections 3.3.1 and 3.3.2: 3.3.1. Next, the requestor's permission to update the RRs named in the Update Section may be tested in an implementation dependent fashion or using mechanisms specified in a subsequent Secure DNS Update protocol. What good is such a drastic DNS operation when no authentication is defined? Other than that the RFC reads like a stripped down version of Hmm? You can use dnssec-keygen(8) keys for authentication. I admit, I don't know as practical a way to do it in the real world; DynDNS's protocol and my HTTP+nsupdate hack are handy for associating one user's records with one authentication credential. I guess a secure way to do it is to give each user his/her own key and a separate zone. But that would not scale. I don't know how to link a key with only one RR name. I could ask the BIND folks. nsupdate's technical manual (if such a thing exists). The benefit to not defining it there is that any mechanisms can be used. Arriving at this conclusion leaves us looking at eg. dyndns's protocol. I think it's one of the worst alternatives in this context: dnsmasq often runs in local link areas, where people can easily snoop the credentials, and it mocks up an HTTP server, which is quite complicated for this task. That's why I think my HTTP+nsupdate hack was better than DynDNS's protocol. No special client needed, just a web browser (or a scriptable HTTP client like wget(1).) A much simpler approach would be for the client to send the base64(sha1(user:password:hostname)) (a hash of user, password and desired, preregistered hostname) to some special host and maybe wait for the ACK. That could be decoupled from dnsmasq, which is propably not the right place to implement it. Agreed. I can think of many hacks, any of which would be preferable to adding a non-standard protocol to dnsmasq. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
[Dnsmasq-discuss] Dynamic DNS
Hi Simon, are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl Thanks for all the great work, Alberto Cuesta-Canada GaaS Team Lead Excelian Ltd. +44 (0) 7942633361 The information contained in this email and any attached files are confidential and intended solely for the addressee(s). The email may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the named addressee you may not use, copy, or disclose this information to any other person. If you received this message in error please notify the sender immediately and delete it from your system. Any opinion or views contained in this email message are those of the sender, and do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated, this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Excelian 50 Featherstone Street London EC1Y 8RT Tel: +44 (0) 20 7336 9595 Fax: +44 (0) 20 7336 9596 www.Excelian.com _ This e-mail has been scanned for viruses by MessageLabs. For further information visit http://www.messagelabs.com Excelian subscribes to cleaner and greener methods of working. Help take responsibility for the environment. Please don't print this email unless you absolutely have to.
Re: [Dnsmasq-discuss] Dynamic DNS
On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote: are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl I don't understand all the desire to invent new protocols for dynamic DNS. RFC 2136 handles it quite well. If dnsmasq were to add another protocol, it should be RFC 2136. Dyndns.org's protocol is not a standard. Some years back, before I really understood 2136, I wrote a perl/CGI frontend for nsupdate(8) which does something similar without exposing another root-owned TCP socket to the world. By means of permissions on a copy of the key, I was able to allow the httpd(8) user to run nsupdate after authenticating the user. (Perhaps your perl script could be amended to run as the dnsmasq user; I think that would be a very good idea.) Another thing I'm not understanding is why is this needed? Are you running dnsmasq as authoritative nameserver for the world? I hope Simon will correct me if I'm wrong, but I don't see that as a typical role for dnsmasq. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Dynamic DNS
/dev/rob0 wrote: On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote: are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl I don't understand all the desire to invent new protocols for dynamic DNS. RFC 2136 handles it quite well. If dnsmasq were to add another protocol, it should be RFC 2136. Dyndns.org's protocol is not a standard. Some years back, before I really understood 2136, I wrote a perl/CGI frontend for nsupdate(8) which does something similar without exposing another root-owned TCP socket to the world. By means of permissions on a copy of the key, I was able to allow the httpd(8) user to run nsupdate after authenticating the user. I just skimmed through RFC 2136. From a practical standpoint, it has a serious flaw in sections 3.3.1 and 3.3.2: 3.3.1. Next, the requestor's permission to update the RRs named in the Update Section may be tested in an implementation dependent fashion or using mechanisms specified in a subsequent Secure DNS Update protocol. What good is such a drastic DNS operation when no authentication is defined? Other than that the RFC reads like a stripped down version of nsupdate's technical manual (if such a thing exists). The benefit to not defining it there is that any mechanisms can be used. Arriving at this conclusion leaves us looking at eg. dyndns's protocol. I think it's one of the worst alternatives in this context: dnsmasq often runs in local link areas, where people can easily snoop the credentials, and it mocks up an HTTP server, which is quite complicated for this task. A much simpler approach would be for the client to send the base64(sha1(user:password:hostname)) (a hash of user, password and desired, preregistered hostname) to some special host and maybe wait for the ACK. That could be decoupled from dnsmasq, which is propably not the right place to implement it. Why not look at the existing dnsmasq option dhcp-script? I never used it, but it seems to provide what's needed provided all the dhcp clients are automatically authorized to enter a name into the DNS. Another thing I'm not understanding is why is this needed? Are you running dnsmasq as authoritative nameserver for the world? I hope Simon will correct me if I'm wrong, but I don't see that as a typical role for dnsmasq. +1 I'm aware of DHCP options that let a client request a dynamic DNS update, though. The manual doesn't mention them, though. clemens
