====== DynDNS (RFC2136) ====== Official documentation: [[https://doc.powerdns.com/authoritative/dnsupdate.html]] ===== Enable DynDNS ===== To enable dyndns, pdns.conf have to be edited. dnsupdate=yes ===== Generate a TSIG Key ===== Use pdnsutil to generate a new key. You have to give it a name (eg. foobar) and choose an algorithm (eg. hmac-md5). # pdnsutil generate-tsig-key foobar hmac-md5 Create new TSIG key foobar hmac-md5 M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g= To check if it was created you can use the list-tsig-keys command of pdnsutil. # pdnsutil list-tsig-keys foobar. hmac-md5. M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g= ===== Import a TSIG Key ===== If you already have a TSIG generated, for example if you migrate from bind, you can import it. pdnsutil import-tsig-key foobar hmac-md5 Y8bdON5YTiwCWF7YHSNkL6x= ===== Allow TSIG Update on a Zone ===== Allow the TSIG key foobar to update dyn.example.com. pdnsutil add-meta dyn.example.com TSIG-ALLOW-DNSUPDATE foobar Before the TSIG, the source ip address will be checked. Because a TSIG key is required, all ip addresses can be allowed. pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 0.0.0.0/0 pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM ::/0 ===== Allow Update on a Zone for a Network Range ===== Allow the clients from 192.0.2.0/24 and 2001:db8::/32 to update the records in the domain dyn.example.com. pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 192.0.2.0/24 pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 2001:db8::/32 This can be combined with TSIG, then both requirements have to match (ip address and key). ===== Client Configuration ===== ==== OPNsense ==== {{:apps:powerdns:opnsense_rfc2136_client.png|}}