Table of Contents
DynDNS (RFC2136)
Official documentation: https://doc.powerdns.com/authoritative/dnsupdate.html
Enable DynDNS
To enable dyndns, pdns.conf have to be edited.
- pdns.conf
dnsupdate=yes
Generate a TSIG Key
Use pdnsutil to generate a new key. You have to give it a name (eg. foobar) and choose an algorithm (eg. hmac-md5).
# pdnsutil generate-tsig-key foobar hmac-md5 Create new TSIG key foobar hmac-md5 M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
To check if it was created you can use the list-tsig-keys command of pdnsutil.
# pdnsutil list-tsig-keys foobar. hmac-md5. M4JBOHlvnUAdhGsTsGKATStBQSbWlf4dXqQe1gIY/0g=
Import a TSIG Key
If you already have a TSIG generated, for example if you migrate from bind, you can import it.
pdnsutil import-tsig-key foobar hmac-md5 Y8bdON5YTiwCWF7YHSNkL6x=
Allow TSIG Update on a Zone
Allow the TSIG key foobar to update dyn.example.com.
pdnsutil add-meta dyn.example.com TSIG-ALLOW-DNSUPDATE foobar
Before the TSIG, the source ip address will be checked. Because a TSIG key is required, all ip addresses can be allowed.
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 0.0.0.0/0 pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM ::/0
Allow Update on a Zone for a Network Range
Allow the clients from 192.0.2.0/24 and 2001:db8::/32 to update the records in the domain dyn.example.com.
pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 192.0.2.0/24 pdnsutil add-meta dyn.example.com ALLOW-DNSUPDATE-FROM 2001:db8::/32
This can be combined with TSIG, then both requirements have to match (ip address and key).
Client Configuration
OPNsense
