====== DynDNS (RFC2136) ======

Official documentation: [[https://doc.powerdns.com/authoritative/dnsupdate.html]]

===== Enable DynDNS =====

To enable dyndns, pdns.conf have to be edited.

<code - pdns.conf>
dnsupdate=yes
</code>

===== Generate a TSIG Key =====

Use pdnsutil to generate a new key. You have to give it a name (eg. foobar) and choose an algorithm (eg. hmac-md5).

<code ->
# pdnsutil generate-tsig-key foobar hmac-md5
Create new TSIG key foobar hmac-md5 M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
</code>

To check if it was created you can use the list-tsig-keys command of pdnsutil.
<code ->
# pdnsutil list-tsig-keys
foobar. hmac-md5. M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
</code>

===== Import a TSIG Key =====

If you already have a TSIG generated, for example if you migrate from bind, you can import it.

<code>
pdnsutil import-tsig-key foobar hmac-md5 Y8bdON5YTiwCWF7YHSNkL6x=
</code>

===== Allow TSIG Update on a Zone =====

Allow the TSIG key foobar to update dyn.example.com.
<code>
pdnsutil add-meta dyn.example.com TSIG-ALLOW-DNSUPDATE foobar
</code>

Before the TSIG, the source ip address will be checked. Because a TSIG key is required, all ip addresses can be allowed.
<code>
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 0.0.0.0/0
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM ::/0
</code>

===== Allow Update on a Zone for a Network Range =====

Allow the clients from 192.0.2.0/24 and 2001:db8::/32 to update the records in the domain dyn.example.com.
<code>
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 192.0.2.0/24
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 2001:db8::/32
</code>

This can be combined with TSIG, then both requirements have to match (ip address and key).

===== Client Configuration =====
==== OPNsense ====

{{:apps:powerdns:opnsense_rfc2136_client.png|}}