Dynamic DNS on vps

[chrismfz]

Hello people. This is somehow off topic but if anyone can answer this I would appreciate it.

Ok, I was thinking to use my vps for something else except hosting. DNS (Bind 9.2.x) is
running so I thought to use it for Dynamic DNS because I have lots of workstation everywhere
with dynamic ips and I dont want to use dyndns.org because a) I want mine & b) I want to learn this sh*t.

Ok lets roll. After enough (I believe) readind I found a howto at http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
and follow it
I've made a key file first of all like this:

Code:

dnssec-keygen -a HMAC-MD5 -b 128 -n domain.com key-test

where domain.com my domain I want to use for dynamic dns.

I get the key. Ok Next,
I follow the http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html howto
and add these lines in my named.conf

Code:

key key-test {
        algorithm hmac-md5;
        secret "WXrQNiJTGpbYigrv1q7Z2Q==";
      };

and of course in the zones:

Code:

zone "domain.com" {
        type master;
        file "/var/named/domain.com.db";
        allow-update { key key-test; };

update-policy {
    grant * self * A TXT;
};

};

and I added a domain.com.db like thar

Code:

$TTL 86400 ; 1 minute
      @         IN      SOA     domain.com. ns1.domain.com. (
                                        2007052010 ; serial
                                        10800      ; refresh (3 hours)
                                        3600       ; retry (1 hour)
                                        1814400    ; expire (3 weeks)
                                        86400      ; minimum (1 day)
                                )
      @                 NS      ns1.domain.com.
      @                 NS      ns2.domain.com.

      hostname  60      IN      A       10.11.12.13

I believe in the server-side I am ok. Now the client side.
I didn't want to write a program from scratch to do the update so I searched
the sf.net and found a perfect one, ipupdate
ipupdate comes with an executable, and a conf file. Conf file looks like this:

Code:

server "ns1.domain.com"
{
	zone "domain.com"
	{
		hosts "@,www,*"
		keyname "key-test"
		keydata "WXrQNiJTGpbYigrv1q7Z2Q=="   <<-- the key from the first action
	}
}

Now, restarting the bind with the new settings and enough expirements
When trying to update the zone I get from the server side: (in /var/log/messages)

May 13 09:21:41 sky named[25688]:
client my.client.ip.here#4460: updating zone 'domain.com/IN': update failed: not authoritative for update zone (NOTAUTH)

and from the client side I get:

C:\Documents and Settings\User\Desktop\ip>ipupdate
getconfig: loading 'C:\Documents and Settings\User\Desktop\ip\ipupdate.conf'
Detected IP: xxx.xxx.xxx.xxx <<--(my ip)
checkip: server ns1.domain.com: dns error: Not Authenticated (BADKEY)
checkip: zone domain.com: keyname is rejected by server

Is anyone tried something like this before? (dynamic dns, either with this way or not)

Any feedback should be appreciated because I am stuck with this...

Regards,
Chris

[thisisit3]

I've had a similar problem with another application that uses secure keys, the client always failed to authenticate with the server.

I traced the problem down to the fact that the key is self-signed. For the keys to work you have two options:

1) Get keys signed from a CA authority (thwarte, etc..)

2) Become your own CA authority and issue your own keys

3) Use CACERT (http://www.cacert.org) as a CA authority.

For option 2 and 3 you still need to get the authority public key and add it in your trusted keys.

Ofcourse your problem could be completely different, but just in case it would be a good idea to check that authentication fails due to self-signed keys.

[chrismfz]

I even don't know if I miss something.

Code:

dnssec-keygen -a HMAC-MD5 -b 128 -n domain.com key-test

creates 2 files. I only get the hash of the files (it the same)
I dont know if hole file is necessary for something or to put
in a directory etc.. Anyway I'll try again. (expirements)
If I find a solution I'll post it.
It's off topic but anyway, could be useful..


Regards,
Chris

[thisisit3]

Code:

GENERATED KEYS
       When dnssec-keygen completes successfully, it prints a  string  of  the
       form Knnnn.+aaa+iiiii to the standard output. This is an identification
       string for the key it has generated. These strings can be used as argu-arguments
       ments to dnssec-makekeyset.

        nnnn is the key name.

        aaa is the numeric representation of the algorithm.

        iiiii is the key identifier (or footprint).

       dnssec-keygen creates two file, with names based on the printed string.
       Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.pri-Knnnn.+aaa+iiiii.private
       vate contains the private key.


       The  .key  file  contains  a DNS KEY record that can be inserted into a
       zone file (directly or with a $INCLUDE statement).


       The .private file contains algorithm specific fields. For obvious secu-security
       rity reasons, this file does not have general read permission.


       Both  .key  and  .private  files are generated for symmetric encryption
       algorithm such as HMAC-MD5, even though the public and private key  are
       equivalent.