====== DynDNS (RFC2136) ======
Official documentation: [[https://doc.powerdns.com/authoritative/dnsupdate.html]]
===== Enable DynDNS =====
To enable dyndns, pdns.conf have to be edited.
dnsupdate=yes
===== Generate a TSIG Key =====
Use pdnsutil to generate a new key. You have to give it a name (eg. foobar) and choose an algorithm (eg. hmac-md5).
# pdnsutil generate-tsig-key foobar hmac-md5
Create new TSIG key foobar hmac-md5 M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
To check if it was created you can use the list-tsig-keys command of pdnsutil.
# pdnsutil list-tsig-keys
foobar. hmac-md5. M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
===== Import a TSIG Key =====
If you already have a TSIG generated, for example if you migrate from bind, you can import it.
pdnsutil import-tsig-key foobar hmac-md5 Y8bdON5YTiwCWF7YHSNkL6x=
===== Allow TSIG Update on a Zone =====
Allow the TSIG key foobar to update dyn.example.com.
pdnsutil add-meta dyn.example.com TSIG-ALLOW-DNSUPDATE foobar
Before the TSIG, the source ip address will be checked. Because a TSIG key is required, all ip addresses can be allowed.
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 0.0.0.0/0
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM ::/0
===== Allow Update on a Zone for a Network Range =====
Allow the clients from 192.0.2.0/24 and 2001:db8::/32 to update the records in the domain dyn.example.com.
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 192.0.2.0/24
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 2001:db8::/32
This can be combined with TSIG, then both requirements have to match (ip address and key).
===== Client Configuration =====
==== OPNsense ====
{{:apps:powerdns:opnsense_rfc2136_client.png|}}