Seven long years ago on this very mailing list I asked for help. I
got an excellent reply from none other than Paul Vixie.
https://lists.isc.org/pipermail/bind-users/2004-May/050232.html
I was a bit overwhelmed at the time, and didn't quite grasp the
niceties of nsupdate and RFC 2136, but in seven years, things begin
to sink in. :) (Belated thanks, Paul, if as I suspect, you're still
here.)
I did go ahead and make my dynamic subzone back then, but I didn't
implement the proper nsupdate and key interface that I should have.
Seems so obvious now: user generates a SIG(0) key and sends me the
.key part (or, I generate the key and send her the .private part);
I'll nsupdate "update add <that-name>.my.dynamic.zone. $TTL KEY
<keydata>" with my master key, and then the user can nsupdate and
add/change records with a simple script.
update-policy {
grant my.dynamic.zone.key subdomain my.dynamic.zone ANY;
grant * self * A TXT;
};
Tested and working. :) (BTW the ARM could use some examples under
Bv9ARM.ch06.html#dynamic_update_policies , I had to Google to find
the "grant * self *" line.)
What I implemented back in '04 works pretty well for non-DNS-savvy
users; it's a simple Web form that does password authentication. If
username and password match, it runs a little shell script which
nsupdates the zone with my master (TSIG) key. The Web form is
wget(1)-able or can be used interactively.
With httpd and CGI, it's easy to get the connecting client's IP
address. So my Web form passes that to the shell script, and that
value is passed to nsupdate for the A record.
Now I want to do it right, but I don't see a way for nsupdate to do
what httpd does: autodetection of client IP address for nsupdate of
its A record.
I can script something on the client end to get the IP address, but
if possible I'd prefer autodetection, which would be OS- and
shell-agnostic. Is that possible?
A different matter, but slightly related: I want to use some of the
SIG(0) keys for access control. Bv9ARM.ch04.html#id2571654 (the
section entitled "SIG(0)") says this is possible, but I am not
understanding how.
"When a SIG(0) signed message is received, it will only be verified
if the key is known and trusted by the server; the server will not
attempt to locate and/or validate the key."
How do you tell the server to know and trust a SIG(0) key? Does the
fact that the server is authoritative for my.dynamic.zone mean that
having a KEY RR at keytest.my.dynamic.zone is known? No, that sounds
more like "locat[ing] and/or validat[ing] the key."
I suppose the server only needs the public key (.key) part, but I
failed to find any named.conf(5) examples of a SIG(0) key for access.
And continuing on to the next slightly related matter: the SIG(0)
section of Bv9ARM.ch04.html goes on to say:
"The only tool shipped with BIND 9 that generates SIG(0) signed
messages is nsupdate."
So if I wanted my home server to be able to nspdate with a SIG(0)
key, that works, but I can't have my named use that key to AXFR or
IXFR my zones?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
