Re: Quick dynamic DNS?
See draft-ietf-dnssd-srp -- Mark Andrews > On 25 Dec 2020, at 12:22, Grant Taylor via bind-users > wrote: > > On 12/24/20 3:05 PM, Mark Andrews wrote: >> TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones. > > Thank you for the follow up Mark. > > It's good to know that they are secure mechanisms. > > With all the churn in the TLS space, I can't keep up with it, much less have > any idea how the concepts cross pollinate to other things. > >> MacOS uses TSIG to update the DNS. >> Windows uses GSS-TSIG in active directory. > > *nod* > > Jan-Piet Mens has a good article on this. > >> SIG(0) is in future work for home net updating records added on a first come >> basis. It can also be used to update records added by other means as long >> as the KEY records where added at the same time. > > Would you please elaborate what you mean by "on a first come basis"? Is it > simply the first person to put a KEY record, or someone that has knowledge > there of? > > Thank you for enlightening me. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 12/24/20 3:05 PM, Mark Andrews wrote: TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones. Thank you for the follow up Mark. It's good to know that they are secure mechanisms. With all the churn in the TLS space, I can't keep up with it, much less have any idea how the concepts cross pollinate to other things. MacOS uses TSIG to update the DNS. Windows uses GSS-TSIG in active directory. *nod* Jan-Piet Mens has a good article on this. SIG(0) is in future work for home net updating records added on a first come basis. It can also be used to update records added by other means as long as the KEY records where added at the same time. Would you please elaborate what you mean by "on a first come basis"? Is it simply the first person to put a KEY record, or someone that has knowledge there of? Thank you for enlightening me. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones. MacOS uses TSIG to update the DNS. Windows uses GSS-TSIG in active directory. SIG(0) is in future work for home net updating records added on a first come basis. It can also be used to update records added by other means as long as the KEY records where added at the same time. -- Mark Andrews > On 25 Dec 2020, at 07:46, Grant Taylor via bind-users > wrote: > > On 12/24/20 8:48 AM, @lbutlr wrote: >> That is what example.com always is, yes. > > Sorry. I'm so used to people not using documentation domains that I double > check that they aren't actually trying to literally use documentation domains > internally. > > It's a refreshing change to see documentation domains / IPs / networks used > properly. > > I tip my hat to you. > >> As I said, it is authoritative for example.com. > > ACK > >> Yep. >> No, I just want my bind server to get updated with the external IP of my >> home connection when it changes and update the A pointer. > > Okay. IMHO that's relatively easy to do. See Stanley's reply as it seems > quite good. > > About the only thing that I'd do differently is to use update-policy { ... } > "grant" statements to more granularly control what the key can update. E.g. > allow it to /only/ update A and / or records for the home.example.com > name and nothing else. > > An alternative to grant statements is to use a CNAME to yourself in a > different sub-domain where you have carte blanch access to update. But, > seeing as how the CNAME will reference explicitly one name, you have less of > a security risk in the alias domain. E.g. home.example.com -> > home.client1.ddns.example.com. Then give each client the ability to update > it's client#.ddns.example.com sub-doimain. > >> I just want to update the IP address in a single A record. > > IMHO that makes this almost trivial once you know how to do it. > >> Possibly, though that is certainly part of what I am asking. > > *nod*nod* > >> But the bind server doesn't know the new IP address? > > SSH from rPI to bind9 and remotely run a command. Possibly extracting the IP > from the SSH_{CLIENT,CONNECTION} environment variable. ;-) > >> As I said. The bind server is at example.com. It is authoritative for >> example.com (and several other domains as well). > > *nod*nod*nod* > > I expect that many on this list have such systems at their disposal. }:-) > >> At home I have a connection to an ISP and that connection MAY change since >> it is in a DHCP pool. I want to be able to updated my DNS server so that >> "home.example.com" points to my home IP address. > > Typical and quintessential use case. > >> I have done this in the past with various dynamic DNS services (like DynDNS) >> where their software client would automatically update a custom subdomain of >> one of their domains like homeftp.net (the have many and which one isn't >> relevant) and then on the Bind server I would have, for example, in >> example.com, >> homeCNAME lbutlr.homeftp.net. #example name, not real dynDNS address) >> When the client updated my IP address, bind would simply relay connections >> to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address >> was. >> What I want to do is eliminate the 3rd party service and client so that the >> bind server can simply have: >> homeA12.34.56.789 # obvs not a real IP > > Aw ... no Test-Net IPs? :-P > > IMHO what you're wanting to do is quite doable with a little bit of knowledge > and trial and error. See Stanley's email for more details on said knowledge. > > The only parting thoughts I'll add is that I don't know if TSIG keys are > sufficiently secure, or if there is a better option. I've not looked in a > while. -- I personally tend to isolate what can be changed with grant > statements and consider it good enough. -- This is also where remotely > executing nsupdate through SSH sort of elides this issue and makes things > somewhat simpler. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 12/24/20 8:48 AM, @lbutlr wrote: That is what example.com always is, yes. Sorry. I'm so used to people not using documentation domains that I double check that they aren't actually trying to literally use documentation domains internally. It's a refreshing change to see documentation domains / IPs / networks used properly. I tip my hat to you. As I said, it is authoritative for example.com. ACK Yep. No, I just want my bind server to get updated with the external IP of my home connection when it changes and update the A pointer. Okay. IMHO that's relatively easy to do. See Stanley's reply as it seems quite good. About the only thing that I'd do differently is to use update-policy { ... } "grant" statements to more granularly control what the key can update. E.g. allow it to /only/ update A and / or records for the home.example.com name and nothing else. An alternative to grant statements is to use a CNAME to yourself in a different sub-domain where you have carte blanch access to update. But, seeing as how the CNAME will reference explicitly one name, you have less of a security risk in the alias domain. E.g. home.example.com -> home.client1.ddns.example.com. Then give each client the ability to update it's client#.ddns.example.com sub-doimain. I just want to update the IP address in a single A record. IMHO that makes this almost trivial once you know how to do it. Possibly, though that is certainly part of what I am asking. *nod*nod* But the bind server doesn't know the new IP address? SSH from rPI to bind9 and remotely run a command. Possibly extracting the IP from the SSH_{CLIENT,CONNECTION} environment variable. ;-) As I said. The bind server is at example.com. It is authoritative for example.com (and several other domains as well). *nod*nod*nod* I expect that many on this list have such systems at their disposal. }:-) At home I have a connection to an ISP and that connection MAY change since it is in a DHCP pool. I want to be able to updated my DNS server so that "home.example.com" points to my home IP address. Typical and quintessential use case. I have done this in the past with various dynamic DNS services (like DynDNS) where their software client would automatically update a custom subdomain of one of their domains like homeftp.net (the have many and which one isn't relevant) and then on the Bind server I would have, for example, in example.com, home CNAME lbutlr.homeftp.net. #example name, not real dynDNS address) When the client updated my IP address, bind would simply relay connections to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address was. What I want to do is eliminate the 3rd party service and client so that the bind server can simply have: homeA 12.34.56.789 # obvs not a real IP Aw ... no Test-Net IPs? :-P IMHO what you're wanting to do is quite doable with a little bit of knowledge and trial and error. See Stanley's email for more details on said knowledge. The only parting thoughts I'll add is that I don't know if TSIG keys are sufficiently secure, or if there is a better option. I've not looked in a while. -- I personally tend to isolate what can be changed with grant statements and consider it good enough. -- This is also where remotely executing nsupdate through SSH sort of elides this issue and makes things somewhat simpler. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
What you want is a program on the rPI that will query the internet to find what the current outside address is and then send that to the bind9 server. There are several ways of doing this. 1) Use a service and have a CNAME pointing to the DNS entry of the service. Some examples: https://www.dynu.com/DynamicDNS/IPUpdateClient/RaspberryPi-Dynamic-DNS http://www.darwinbiler.com/dynamic-dns-using-raspberry-pi/ 2) Use a custom script that will use ntpupdate to update a dynamic zone on the bind9 server. This is what I have done. The script first queries the outside world for the ip address and then builds a nsupdate command set to send to the server. I am doing this on a CentOS box, but it should work on a rPI. I do use a key to prevent others from updating this record. script ——— #!/bin/bash # Servers: http://dynupdate.no-ip.com/ip.php, http://www.antedes.com/getip.php, ..? # Less straifghtforward: http://checkip.dyndns.org/, ... IPS=http://dynupdate.no-ip.com/ip.php DNSP=/home/demouser/DNS_KEY # First, retrieve IP address CURIP=`curl -s $IPS | awk '{ print $1 }'` OLDIP=`cat $DNSP/oldip` echo $OLDIP # Compare to previously saved IP [ "$CURIP" == "$OLDIP" ] && exit echo $CURIP > $DNSP/oldip echo `date` $CURIP >> $DNSP/oldips echo $CURIP # If different, tell DNS echo "server mybind9serverIP" > $DNSP/zone echo "zone dyn.example.com" >> $DNSP/zone echo "update delete rpi.dyn.example.com. A" >> $DNSP/zone echo "update add rpi.dyn.example.com. 3600 A $CURIP" >> $DNSP/zone echo "show" >> $DNSP/zone echo "send" >> $DNSP/zone echo "before nsupdate" /usr/bin/nsupdate -k $DNSP/Krpi.dyn.example.com.+157+02083.private $DNSP/zone IN external - bind config entry zone “dyn.example.com" { type master; file "master/external/dyn.example.com"; allow-update {key rpi.dyn.example.com.; }; inline-signing yes; auto-dnssec maintain; key-directory "/keys/dyn.example.com/"; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 23 Dec 2020, at 21:23, Grant Taylor via bind-users wrote: > On 12/23/20 6:53 PM, @lbutlr wrote: >> Give that I have a authoritative bind9 server for example.com and given that >> I have a home connection that is (technically) dynamic home.example.com what >> is the easiest way for me to automatically update the DNS on the rare >> occasions that it changes? > > I assume: > > 1) That example.com is a stand in for the real domain name(s) That is what example.com always is, yes. > 2) Your bind9 server is somewhere on the Internet As I said, it is authoritative for example.com. > 3) You are asking how to dynamically update it to change where > home.example.com resolves to. Yep. >> The example.com domain is setup with DNSSEC and the home connection has a >> rPI already acting as an unbound/piHole server, if that helps. > > Are you wanting to do some sort of zone transfer from the rPI to BIND? No, I just want my bind server to get updated with the external IP of my home connection when it changes and update the A pointer. > Is home.example.com public or private? Can the world query it? The world can reach my home connection, but no the world cannot send DNS queries to it since it does not run an external DNS server (unbound is just a catching server, piHole is a DNS blocker that prevents LAN machines from reaching known bad hosts). >> I used to use a dynamic DNS service, but I figure I have the tools available >> to do this all myself. What am I doing right now is just manually changing >> the IP. > > ACK > > I'm going to further assume: > > 4) That you have home.example.com delegated to the rPI at your house. No, I just have home.example.com as a A record the points to my home IP address. There is no delegations and no subdomains for home.example.com. > 5) That you want to dynamically update this delegation. I just want to update the IP address in a single A record. > You can use BIND's support for Dynamic DNS across the Internet. (I can't > speak to the security of such.) I assume that you will be using something > like TSIG keys or Kerberos to authenticate your Dynamic DNS updates. > (Possibly even a VPN or the likes.) Possibly, though that is certainly part of what I am asking. > Or you can use nsupdate on the system hosting your public BIND DNS server. But the bind server doesn't know the new IP address? > Please clarify where the Dynamic DNS client will be in comparison to the BIND > DNS server. Then we can get into the minutia of how to go about things. As I said. The bind server is at example.com. It is authoritative for example.com (and several other domains as well). At home I have a connection to an ISP and that connection MAY change since it is in a DHCP pool. I want to be able to updated my DNS server so that "home.example.com" points to my home IP address. I have done this in the past with various dynamic DNS services (like DynDNS) where their software client would automatically update a custom subdomain of one of their domains like homeftp.net (the have many and which one isn't relevant) and then on the Bind server I would have, for example, in example.com, homeCNAME lbutlr.homeftp.net. #example name, not real dynDNS address) When the client updated my IP address, bind would simply relay connections to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address was. What I want to do is eliminate the 3rd party service and client so that the bind server can simply have: homeA 12.34.56.789 # obvs not a real IP -- I went to a restaurant that serves "breakfast at any time". So I ordered French Toast during the Renaissance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick dynamic DNS?
On 12/23/20 6:53 PM, @lbutlr wrote: Give that I have a authoritative bind9 server for example.com and given that I have a home connection that is (technically) dynamic home.example.com what is the easiest way for me to automatically update the DNS on the rare occasions that it changes? I assume: 1) That example.com is a stand in for the real domain name(s) 2) Your bind9 server is somewhere on the Internet 3) You are asking how to dynamically update it to change where home.example.com resolves to. The example.com domain is setup with DNSSEC and the home connection has a rPI already acting as an unbound/piHole server, if that helps. Are you wanting to do some sort of zone transfer from the rPI to BIND? Is home.example.com public or private? Can the world query it? I used to use a dynamic DNS service, but I figure I have the tools available to do this all myself. What am I doing right now is just manually changing the IP. ACK I'm going to further assume: 4) That you have home.example.com delegated to the rPI at your house. 5) That you want to dynamically update this delegation. You can use BIND's support for Dynamic DNS across the Internet. (I can't speak to the security of such.) I assume that you will be using something like TSIG keys or Kerberos to authenticate your Dynamic DNS updates. (Possibly even a VPN or the likes.) Or you can use nsupdate on the system hosting your public BIND DNS server. Please clarify where the Dynamic DNS client will be in comparison to the BIND DNS server. Then we can get into the minutia of how to go about things. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Quick dynamic DNS?
Give that I have a authoritative bind9 server for example.com and given that I have a home connection that is (technically) dynamic home.example.com what is the easiest way for me to automatically update the DNS on the rare occasions that it changes? The example.com domain is setup with DNSSEC and the home connection has a rPI already acting as an unbound/piHole server, if that helps. I used to use a dynamic DNS service, but I figure I have the tools available to do this all myself. What am I doing right now is just manually changing the IP. -- "There will always be women in rubber flirting with me." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users