Bind Dynamic Update Key Generation

Aug 08, 2012 Dynamic DNS with BIND and ISC DHCP SERVER I decided to write a HOWTO about RFC 2136 dynamic DNS updates with BIND DNS server and ISC DHCP server. Automatic registration of DHCP client hostnames to DNS is something that is almost taken for granted nowadays. However, there are not too many good. Here's the quick and dirty: On BIND9 with a dynamic zone that's shared between views, doing a nsupdate, updating/creating/deleting a record will work fine if I query for that record from a client.

  • Sponsor

    To avoid making your entire production DNS subject to dynamic DNS updates, then for each certificate domain you want:

    1. In your main DNS infrastructure create a delegation: _acme-challenge.<domain>. NS <your-nameserver>.
    2. Create a new zone _acme-challenge.<domain> on <your-nameserver>, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
    3. Create a new TSIG key: dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname>
    4. Enable dynamic updates on the _acme-challenge.<domain> zone with this key

    e.g. for bind9:

    This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further.

    An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script:

    Bind Dynamic Update Key Generation 2

    You then only need to create a single zone acme.mydomain.com which accepts dynamic DNS updates, but you will need to add static CNAMEs for _acme-challenge.<certname> pointing at _acme-challenge.<certname>.acme.mydomain.com for each certificate you want to issue.

    Bind Dynamic Update Key Generation 2

    Clone this wiki locally