TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones.
MacOS uses TSIG to update the DNS.
Windows uses GSS-TSIG in active directory.
SIG(0) is in future work for home net updating records added on a first come
basis. It can also be used to update records added by other means as long as
the KEY records where added at the same time.
--
Mark Andrews
> On 25 Dec 2020, at 07:46, Grant Taylor via bind-users
> <bind-users@lists.isc.org> wrote:
>
> On 12/24/20 8:48 AM, @lbutlr wrote:
>> That is what example.com always is, yes.
>
> Sorry. I'm so used to people not using documentation domains that I double
> check that they aren't actually trying to literally use documentation domains
> internally.
>
> It's a refreshing change to see documentation domains / IPs / networks used
> properly.
>
> I tip my hat to you.
>
>> As I said, it is authoritative for example.com.
>
> ACK
>
>> Yep.
>> No, I just want my bind server to get updated with the external IP of my
>> home connection when it changes and update the A pointer.
>
> Okay. IMHO that's relatively easy to do. See Stanley's reply as it seems
> quite good.
>
> About the only thing that I'd do differently is to use update-policy { ... }
> "grant" statements to more granularly control what the key can update. E.g.
> allow it to /only/ update A and / or AAAA records for the home.example.com
> name and nothing else.
>
> An alternative to grant statements is to use a CNAME to yourself in a
> different sub-domain where you have carte blanch access to update. But,
> seeing as how the CNAME will reference explicitly one name, you have less of
> a security risk in the alias domain. E.g. home.example.com ->
> home.client1.ddns.example.com. Then give each client the ability to update
> it's client#.ddns.example.com sub-doimain.
>
>> I just want to update the IP address in a single A record.
>
> IMHO that makes this almost trivial once you know how to do it.
>
>> Possibly, though that is certainly part of what I am asking.
>
> *nod*nod*
>
>> But the bind server doesn't know the new IP address?
>
> SSH from rPI to bind9 and remotely run a command. Possibly extracting the IP
> from the SSH_{CLIENT,CONNECTION} environment variable. ;-)
>
>> As I said. The bind server is at example.com. It is authoritative for
>> example.com (and several other domains as well).
>
> *nod*nod*nod*
>
> I expect that many on this list have such systems at their disposal. }:-)
>
>> At home I have a connection to an ISP and that connection MAY change since
>> it is in a DHCP pool. I want to be able to updated my DNS server so that
>> "home.example.com" points to my home IP address.
>
> Typical and quintessential use case.
>
>> I have done this in the past with various dynamic DNS services (like DynDNS)
>> where their software client would automatically update a custom subdomain of
>> one of their domains like homeftp.net (the have many and which one isn't
>> relevant) and then on the Bind server I would have, for example, in
>> example.com,
>> home CNAME lbutlr.homeftp.net. #example name, not real dynDNS address)
>> When the client updated my IP address, bind would simply relay connections
>> to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address
>> was.
>> What I want to do is eliminate the 3rd party service and client so that the
>> bind server can simply have:
>> home A 12.34.56.789 # obvs not a real IP
>
> Aw ... no Test-Net IPs? :-P
>
> IMHO what you're wanting to do is quite doable with a little bit of knowledge
> and trial and error. See Stanley's email for more details on said knowledge.
>
> The only parting thoughts I'll add is that I don't know if TSIG keys are
> sufficiently secure, or if there is a better option. I've not looked in a
> while. -- I personally tend to isolate what can be changed with grant
> statements and consider it good enough. -- This is also where remotely
> executing nsupdate through SSH sort of elides this issue and makes things
> somewhat simpler.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
