Table of Contents

DynDNS (RFC2136)

Official documentation: https://doc.powerdns.com/authoritative/dnsupdate.html

Enable DynDNS

To enable dyndns, pdns.conf have to be edited.

pdns.conf
dnsupdate=yes

Generate a TSIG Key

Use pdnsutil to generate a new key. You have to give it a name (eg. foobar) and choose an algorithm (eg. hmac-md5).

# pdnsutil generate-tsig-key foobar hmac-md5
Create new TSIG key foobar hmac-md5 M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=

To check if it was created you can use the list-tsig-keys command of pdnsutil.

# pdnsutil list-tsig-keys
foobar. hmac-md5. M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=

Import a TSIG Key

If you already have a TSIG generated, for example if you migrate from bind, you can import it.

pdnsutil import-tsig-key foobar hmac-md5 Y8bdON5YTiwCWF7YHSNkL6x=

Allow TSIG Update on a Zone

Allow the TSIG key foobar to update dyn.example.com.

pdnsutil add-meta dyn.example.com TSIG-ALLOW-DNSUPDATE foobar

Before the TSIG, the source ip address will be checked. Because a TSIG key is required, all ip addresses can be allowed.

pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 0.0.0.0/0
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM ::/0

Allow Update on a Zone for a Network Range

Allow the clients from 192.0.2.0/24 and 2001:db8::/32 to update the records in the domain dyn.example.com.

pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 192.0.2.0/24
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 2001:db8::/32

This can be combined with TSIG, then both requirements have to match (ip address and key).

Client Configuration

OPNsense