Add info for dynamic DNS with TSIG

2025-04-01 17:24:22 -04:00 · 2025-04-01 17:24:22 -04:00 · 83a6f00b7b
commit 83a6f00b7b
parent ea4bf42669
7 changed files with 176 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 .env
 .DS_Store
-moeny.ai
+moeny.ai
+history.txt
--- a/README.md
+++ b/README.md
@ -19,4 +19,111 @@ sudo systemctl status bind9

 5. Check its syntax with `named-checkzone example.com /etc/bind/zones/example.com`.

-6. Restart bind9 with `sudo systemctl restart bind9`.
+6. Restart bind9 with `sudo systemctl restart bind9`.
+
+## Enable Dynamic DNS Updates with a TSIG key
+1. We will first need to generate a TSIG (Transaction Signature) key
+```bash
+sudo tsig-keygen -a HMAC-SHA256 key-name > /etc/bind/keys/tsig.key
+```
+
+This will create the key in `/etc/bind/keys/tsig.key`, assign it the name `key-name`, and generate a secret for it. The file will look something like this but with your name and secret:
+```
+key "key-name" {
+    algorithm hmac-sha256;
+    secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
+};
+```
+
+
+2. Create `/etc/bind/dnssec-policies.conf` with the following. Replace `moeny-policy` with your own name.
+```
+dnssec-policy "moeny-policy" {
+    keys {
+        ksk lifetime unlimited algorithm ecdsap256sha256;
+        zsk lifetime unlimited algorithm ecdsap256sha256;
+    };
+    max-zone-ttl 1d;
+    parent-ds-ttl 1d;
+    parent-propagation-delay 1h;
+    signatures-refresh 1d;
+    signatures-validity 30d;
+    signatures-validity-dnskey 30d;
+};
+```
+
+
+3. Add the following lines to your `/etc/bind/named.conf` to include the files we just created.
+```
+include "/etc/bind/keys/tsig.key";
+include "/etc/bind/dnssec-policies.conf";
+```
+
+You may also want to add logging:
+```
+logging {
+    channel update_debug {
+        file "/var/log/named/update_debug.log" versions 3 size 100m;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category update { update_debug; };
+    category security { update_debug; };
+    category database { update_debug; };
+};
+```
+
+
+4. Add the following lines to your `/etc/bind/named.conf.local` under the zone definition. Be sure to replace `key-name` and `moeny-policy` with your own names from `tsig.key` and `dnssec-policies.conf`.
+```
+allow-update { key "key-name"; };
+dnssec-policy "moeny-policy";
+inline-signing yes;
+```
+
+
+5. If your DNS server has Apparmor, it may prevent the named service from writing journal files in `/etc/bind/zones` and performing other required tasks. To prevent this issue add the content of [`usr.sbin.named`](apparmor-config/usr.sbin.named) in `/etc/apparmor.d/local/usr.sbin.named`. Also, ensure that the `bind` user has permissions to read and write to `/etc/bind/zones` to begin with.
+
+
+6. Restart `named` and `bind9`.
+```
+sudo systemctl restart named
+sudo systemctl status named
+sudo systemctl restart bind9
+sudo systemctl status bind9
+```
+
+
+7. You should now be ready to test the TSIG key on your DNS server, using the `nsupdate` command.
+```bash
+nsupdate -k /etc/bind/keys/tsig.key -d
+> server 127.0.0.1
+> debug yes
+> zone moeny.ai
+> update add test.moeny.ai 300 A 192.168.1.200
+> send
+> quit
+```
+
+This will add a record for `test.moeny.ai` which you can then check for with `dig @127.0.0.1 test.moeny.ai`. When ready to remove the record, run `nsupdate` again but issue a delete.
+```bash
+nsupdate -k /etc/bind/keys/tsig.key -d
+> server 127.0.0.1
+> debug yes
+> zone moeny.ai
+> update delete test.moeny.ai A
+> send
+> quit
+```
+
+From now on, you will want to use `nsupdate` or a similar utility to edit and interact with the zone file, rather than editing it directly. Also, note that you will now have a `.signed` zone file, as well as `.jnl` and potentially `.jbk` files in `/etc/bind/zones`. The journal files store pending dynamic updates before they are committed to the zone file.
+
+
+8. You may want to take a look at some info on [Journal Files](https://bind9.readthedocs.io/en/v9.16.24/advanced.html#the-journal-file).
+
+- `rndc freeze zone` stops dynamic updates and writes all changes from memory to disk.
+- `rndc thaw zone` re-enables dynamic updates and should be run after the freeze.
+- `rndc sync zone` forces an immediate sync of the in-memory zone to disk without freezing it.
+- `rndc sync -clean` is the same as `rndc sync`, but also removes journal files (*.jnl).
--- a/apparmor-config/usr.sbin.named
+++ b/apparmor-config/usr.sbin.named
@ -0,0 +1,19 @@
+# /etc/apparmor.d/local/usr.sbin.named
+
+# Site-specific additions and overrides for usr.sbin.named.
+/etc/bind/zones/** rw,
+/etc/bind/zones/moeny.ai.signed* rw,
+/etc/bind/zones/*.jnl rw,
+/var/cache/bind/dynamic/** rw,
+/etc/bind/zones/tmp-* rw,
+
+# Allow zone file operations
+/etc/bind/zones/ rw,
+/etc/bind/zones/** rwk,
+/etc/bind/zones/moeny.ai* rwk,
+/etc/bind/zones/tmp-* rwk,
+/var/log/named/ rw,
+/var/log/named/** rwk,
+/var/log/named.log rwk,
+/var/cache/bind/** rwk,
+/var/cache/bind/dynamic/** rwk,
--- a/dnssec-policies.conf
+++ b/dnssec-policies.conf
@ -0,0 +1,12 @@
+dnssec-policy "moeny-policy" {
+    keys {
+        ksk lifetime unlimited algorithm ecdsap256sha256;
+        zsk lifetime unlimited algorithm ecdsap256sha256;
+    };
+    max-zone-ttl 1d;
+    parent-ds-ttl 1d;
+    parent-propagation-delay 1h;
+    signatures-refresh 1d;
+    signatures-validity 30d;
+    signatures-validity-dnskey 30d;
+};
--- a/keys/tsig.key
+++ b/keys/tsig.key
@ -0,0 +1,5 @@
+# Sample TSIG key with placeholder secret - replace with a real TSIG key before use
+key "tsig-key" {
+    algorithm hmac-sha256;
+    secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
+};
--- a/named.conf
+++ b/named.conf
@ -0,0 +1,26 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+include "/etc/bind/keys/tsig.key";
+include "/etc/bind/dnssec-policies.conf";
+
+logging {
+    channel update_debug {
+        file "/var/log/named/update_debug.log" versions 3 size 100m;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category update { update_debug; };
+    category security { update_debug; };
+    category database { update_debug; };
+};
--- a/named.conf.local
+++ b/named.conf.local
@ -10,4 +10,8 @@
 zone "moeny.ai" IN {
        type master;
        file "/etc/bind/zones/moeny.ai";
+        // Uncomment the 3 lines below if using a tsig key
+        // allow-update { key "tsig-key"; };
+        // dnssec-policy "moeny-policy";
+        // inline-signing yes;
 };