unsecured mode -- easiest... so do this first.
Man sollte DDNS mit Verschl
Named4 requires 'dynamic controlled' in the /etc/named.boot file for all dynamic zones. For any given name/ipaddr pair, there should be two dynamic zones.
example named.boot
directory /etc/testdns
primary lab.net named.lab dynamic controlled
primary 10.100.in-addr.arpa 10.100.lab.rev dynamic controlled
primary 0.0.127.in-addr.arpa named.rev
cache . db.cache
Note: the keywords 'dynamic controlled' follow the two dynamic zones.
The zone files themselves need nothing special in them to make them dynamic. TIP: I do suggest making a backup copy of all the dynamic zones before making any dynamic
updates because ddns will reformat the zone files.
Keyed for secured mode -- more secure, more complicated.
procedure
1. generate the key
2. add the key to the zone
3. start named and check for errors
1. Pre-secured zones require a special entry in the form of a KEY record entry in each pre-secured zone. The key is generated by the nsupdate utility.
syntax for nsupdate key generation:
nsupdate -g -h -p -k
sample output:
# nsupdate -g -h lab.net -p carter -k /tmp/keyfile
[00000001] --- NSUPDATE Utility ---
[00000001] ---
.Key Gen ...[00000001] ... succeeded ...
# more /tmp/keyfile
lab.net carter XqKWqmft640P2DB/VRpD97T9qRbPW9EWEiWEqeGO/QE5UMx/8ktzbVlqsiWbXds/K
kELp7X6BfhXhYce40lPvYYVpAWQCxnowHTpyOLOokQW5xDF2tr+vTb9WTt0unrKeR+7p9ZXCEyq1PxpA
cHfztwNIc4iHJcOo/qtyEc1ZAyNqOprzQ7j0iV9Pmlnt0uJilpJPLeZ9Du7TBSEVR6AyCD+ZrRe2LwCz
PrRTEro/uc0omwvJOLdg+5FUFl8wkJqaa/hZb5U53Eqwa8a5+YZAGQ7AAcq96J8lD2hIbNl++XdpkAsj
EMvpQWZvDaRAHLT/Y5tEso5Itnt4QntxjOjFHpxPjIZugdXq2D7n0dxYxwUktIrRGfsjgcibWIHQbNZy
XKPaB+j0H3rMhxXwValwVQwa+ocaCZvB/gf8zY9fEeHanjLScSwfaZtHsBdVovHnZnsgzvJMC8= AQPb
sW0A37W0qDjb8z9rdxNTUAihur6Sv41VKRm9a57GTCYfMT1Dbs8mzto7RB7iyP2j3xmy6ZgWV+kgDMqP
VSxv
2. This is actually two keyfiles. The first starts after the domain name and the hostname with XqKW..... and six lines later ends at the MC8=. This key can be used in all dynamic
zones on the carter.lab.net server ( use your server name ). The trick is to get it into the zone as one long line. If you cut-n-paste it it will no longer be one line. There are two
techniques for fixing this.
vi the zone file, place your curser on the line above where you want the key to appear and use the :r vi subcommand to read in the /etc/keyfile, then edit the line down to the
correct key.
cut-n-paste the key into the vi session and use 'shift j' to join the broken lines
Use whatever trick fits your ability and when your done, it should look something like this (sample lab.data)
@ 9999999 IN SOA reagan.lab.net. root.reagan.lab.net. (
10003 360 30 360 640 ) ;Cl=2
IN NS reagan.lab.net.
IN KEY 0x0080 0 1 08DGU2BVcFRWJH+nTVpd9/EnkXTCG7jxrsc6uQuASAHHa
zmrhBHMrHYnSHlYVEDT59dFLTprE3MUkENaCvvOlWEThRte/s8k4oMP2v0vcFBXDOVQl7fSzIb5kievq
yHxirkQCH2VlLeU4qIPxSVjR6bmElzcvUpCEReg3ZecFUJvuH4x1XYWmrV7KPiAiNMaCQzSzvKDEdIHa
nUWuKSCB1hcr7T2rCXDQPxUDWGaSazwGXd1yhcs5hCvQjMK3cU6guW7QN//Ni87kGWK+rQsAP1Jie78j
9X374a65ozp0IsRTMvZdoGRPjCKXwGY368HXBrWgTiTE6C/7uIyr9VKEvMxbD+66LQuXlj0PbRo/cimT
cyVRWtj5TK+Ycl6NNAXV4RY92MGI+ov8eb/6HJION6INVxP17tpjCrPIH7D/sdHtF6NpgntlK3Fa4TkZ
ZRuEIr2bS9WvOk=
newname IN A 100.10.1.99
lbj 9999999 IN A 9.3.6.55
reagan 9999999 IN A 9.3.6.58
testbox IN A 100.10.10.99
carter 9999999 IN A 9.3.6.56
localhost 9999999 IN CNAME loopback.lab.net.
loopback 9999999 IN A 127.0.0.1
nixon 9999999 IN A 9.3.6.57
warbler 9999999 IN A 9.53.39.139
Note the KEY statement has this format:
IN KEY 0x0080 0 1 <...key...>
. make sure syslogd is logging output, start the nameserver and check for errors. See the Check the Nameserver section for syslog samples.
NOTE: Make sure your using the right key!!! Starting with bos.net.tcp.server.4.3.3.10 or so, the zone files require the 80byte key created as the second of the two keys generated
with nsupdate command. Syslog will report a format error on the KEY line if the wrong key is used.
sample error from syslog when bad key is loaded:
Aug 29 13:45:00 carter named[10212]: /etc/testdns/named.lab: line 4: database fo
rmat error (08DGU2BVcFRWJH+nTVpd9/EnkXTCG7jxrsc6uQuASAHHazmrhBHMrHYnSHlYVEDT59dF
LTprE3MUkENaCvvOlWEThRte/s8k4oMP2v0vcFBXDOVQl7fSzIb5kievqyHxirkQCH2VlLeU4qIPxSVj
R6bmElzcvUpCEReg3ZecFUJvuH4x1XYWmrV7KPiAiNMaCQzSzvKDEdIHanUWuKSCB1hcr7T2rCXDPxU
DWGaSazwGXd1yhcs5hCvQjMK3cU6guW7QN//Ni87kGWK+rQsAP1Jie78j9X374a65ozp0IsRTMvZdoGR
PjCKXwGY368HXBrWgTiTE6C/7uIyr9VKEvMxbD+66LQuXlj0PbRo/cimTcyVRWtj5TK+Ycl6NNAXV4RY
92MGI+ov8eb/6HJION6INVxP17tpjCrPIH7D/sdHtF6NpgntlK3Fa4TkZZRuEIr2bS9WvOk=)
Aug 29 13:45:00 carter named[10212]: primary zone "lab.net" rejected due to errors (serial 10003)
Named8 Configuration for DDNS
Named8 is a bit easier than named4. First make sure that /usr/sbin/named is linked to /usr/sbin/named8, or run named8 without using startsrc. There is no option for pre-secured
zones so putting KEY records into the zones is not allowed (which is what makes named8 easier :-).
sample named.conf for dynamic zones:
options {
forwarders { 9.3.248.2; };
forward only;
};
zone "lab.net" {
type master;
file "/etc/testdns/lab.data";
allow-update { any; };
};
zone "10.10.100.in-addr.arpa" {
type master;
file "/etc/testdns/100.10.rev";
allow-update { any; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/testdns/named.local";
};
zone "." in {
type hint;
file "/etc/testdns/db.cache";
};
A zone is made dynamic by putting 'allow-update { ;};' within the zone container. Security is tightened by putting the ipaddress of the hosts that will be updating the DDNS
instead of the word any. The zone files require nothing special to make them dynamic. TIP: Save a backup of the default zone files because nsupdates will alter the zone format.
Check the nameserver
Named4
The first thing to do is start syslogd with *.debug logging to an output file. Eveyone should know how to do this, so I will just show examples of what starting named4 looks like in
the syslog output:
named4, unsecured mode:
Aug 29 13:00:48 carter named[10170]: starting. named 4.9.3 Tue Apr 13 20:10:03
CDT 1999:/ build@builder12.austin.ibm.com:/.../austin.ibm.com/fs/proj/p1/aix/aix43N/com1/CMVC/obj/power/tcpip/usr/sbin/named4
Aug 29 13:00:54 carter named[10170]: /etc/testdns/named.lab:2: decimal serial number interpreted as 10003
Aug 29 13:00:54 carter named[10170]: ! UNSECURE MODE ! Dynamic Zone "lab.net" (file
/etc/testdns/named.lab): no ZONE KEY R defined.
Aug 29 13:00:54 carter named[10170]: primary zone "lab.net" loaded (serial 10003)
Aug 29 13:00:54 carter named[10170]: /etc/testdns/10.100.lab.rev:2: decimal serial number interpreted as 10001
Aug 29 13:00:54 carter named[10170]: ! UNSECURE MODE ! Dynamic Zone "10.100.in-addr.arpa" (file
/etc/testdns/10.100.lab.rev): no ZONE KEY R defined.
Aug 29 13:00:54 carter named[10170]: primary zone "10.100.in-addr.arpa" loaded (serial 10001)
Aug 29 13:00:54 carter named[10170]: /etc/testdns/named.rev:2: decimal serial number interpreted as 10001
Aug 29 13:00:54 carter named[10170]: primary zone "0.0.127.in-addr.arpa" loaded (serial 10001)
Aug 29 13:00:54 carter named[15358]: Ready to answer queries.
Note the 'no ZONE KEY R defined' message. This is because no zone key record was defined (DUH!), thus the zone is loaded in unsecured mode. This is not an error, just a
warning!
Named4, pre-secured with zone key records.
Aug 29 13:53:03 carter named[12402]: starting. named 4.9.3 Tue Apr 13 20:10:03
CDT 1999:/ build@builder12.austin.ibm.com:/.../austin.ibm.com/fs/proj/p1/aix/aix43N/com1/CMVC/obj/power/tcpip/usr/sbin/named4
Aug 29 13:53:09 carter named[12402]: primary zone "lab.net" loaded (serial 10003)
Aug 29 13:53:09 carter named[12402]: primary zone "10.100.in-addr.arpa" loaded (serial 10002)
Aug 29 13:53:09 carter named[12402]: /etc/testdns/named.rev:2: decimal serial number interpreted as 10001
Aug 29 13:53:09 carter named[12402]: primary zone "0.0.127.in-addr.arpa" loaded (serial 10001)
Aug 29 13:53:09 carter named[11442]: Ready to answer queries.
Note there is no mention about dynamic zones being loaded. Named will only warn you when it loaded in unsecured mode.
Named8 logging and syslog output
Syslog can be used for logging named8 messages, or named.conf can be configured to send logging messages to a seperate file.
Here is the syslog output from starting named with dynamic zones:
Aug 29 14:09:09 carter named[11446]: starting. named 8.2.2-P5 Fri Mar 10 20:29:
01 CST 2000 build@pebbles.austin.ibm.com:/build/obj/power/tcpip/usr/sbin/named8
Aug 29 14:09:14 carter named[11446]: master zone "lab.net" (IN) loaded (serial 50516)
Aug 29 14:09:14 carter named[11446]: master zone "10.10.100.in-addr.arpa" (IN) loaded (serial 10016)
Aug 29 14:09:14 carter named[11446]: /etc/testdns/named.local:2: decimal serial number interpreted as 10001
Aug 29 14:09:14 carter named[11446]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 10001)
Aug 29 14:09:15 carter named[11446]: listening on [127.0.0.1].53 (lo0)
Aug 29 14:09:15 carter named[11446]: listening on [9.3.6.56].53 (et0)
Aug 29 14:09:15 carter named[11446]: Forwarding source address is [0.0.0.0].33678
Aug 29 14:09:15 carter named[12434]: Ready to answer queries.
again, no mention of dynamic zones being loaded...thats the way it works so good enough.
The second option is to configure named8 to log from the named.conf file. Here is a sample named.conf entries to enable logging:
logging {
channel default_log {
severity info;
file "/etc/testdns/named.log";
print-category yes;
print-severity yes;
print-time yes;
};
category default { default_log; };
};
When this logging container is added to the named.conf then all named messages will go to /etc/testdns/named.log. Nifty, no? The output will look just like the syslog output.
NSLOOKUP
Once syslog shows that the nameserver is loading the zones, use nslookup to list the zones before testing zone updates.
Follow this example:
# nslookup
Default Server: ausname2.austin.ibm.com
Address: 9.53.183.2
> server 0 <-----change to the local server if necessary
Default Server: [0]
Address: 0.0.0.0
> ls lab.net
[[0]]
$ORIGIN lab.net.
@ 10m40s IN NS reagan
newname 10m40s IN A 100.10.1.99
lbj 16w3d17h46m39s IN A 9.3.6.55
reagan 16w3d17h46m39s IN A 9.3.6.58
carter 16w3d17h46m39s IN A 9.3.6.56
nixon 16w3d17h46m39s IN A 9.3.6.57
loopback 16w3d17h46m39s IN A 127.0.0.1
warbler 16w3d17h46m39s IN A 9.53.39.139
Success
>ls 10.100.in-addr.arpa
[[0]]
10.100.in-addr.arpa. 10m40s IN NS reagan
2.10.100.in-addr.arpa. 10m40s IN PTR host2
1.10.100.in-addr.arpa. 10m40s IN PTR host1
3.10.100.in-addr.arpa. 10m40s IN PTR host3
Success
>
Now we can be confident that the name server has loaded all the names in the zones and we can move to testing the zone updates.
Testing the server
The dhcpsd scripts
Dhcpsd is configured with the /etc/dhcpsd.cnf file. This file has two lines, that when uncommented, enable dynamic updates for the namesever. The last two lines start with
'updatedns' and 'removedns', and these lines call the dhcpremove and dhcpaction scripts. These scripts actually call the nsupdate utility which is rather complicated to use. The
scripts are just an easy way of using nsupdate to add and remove names to the DNS. Also, the AIX 4.3 system by default is configured for using named4 nameservers. This is
important only if you need to update a named8 nameserver. More on this later.
Important Configuration point: The dhcp scripts look to the /etc/resolv.conf to find the nameserver. Edit the /etc/resolv.conf and make sure the nameserver statement
points to the DDNS.
command syntax:
dhcpaction
dhcpremove
usage examples:
dhcpaction testhost lab.net 100.10.10.99 3600 BOTH NONIM
dhcpremove 100.10.10.99 BOTH NONIM
Important note: for named8 server, the command to use is dhcpaction8 and dhcpremove8. The syntax is exactly the same, the main difference is that the scripts call nsupdate8
instead of nsupdate.
Tricks for usage:
for verbose output from the script: edit dhcpaction(8) or dhcpremove(8) and add 'set -x' as the first line. This enables script debugging output.
sample output:
# dhcpaction8 testhost lab.net 100.10.10.200 3600 BOTH NONIM
+ hostname=testhost
+ domainname=lab.net
+ ipaddr=100.10.10.200
+ leasetime=3600
+ whichrecord=BOTH
+ shouldnim=NONIM
+ + awk {print $2}
+ /usr/sbin/namerslv -s -I
primaryname=127.0.0.1
+ [ -n lab.net ]
+ machname=testhost.lab.net
+ [ BOTH = BOTH ]
+ + echo 100.10.10.200
+ awk -F. {print $4"."$3"."$2"."$1".in-addr.arpa"}
REVERSED_IP=200.10.10.100.in-addr.arpa
+ /usr/sbin/nsupdate8
+ 1> /dev/null 2>& 1 + [ 0 -eq 1 ]
+ [ BOTH = BOTH ]
+ /usr/sbin/nsupdate8
+ 1> /dev/null 2>& 1 + [ 0 -eq 1 ]
+ + hostname
oldhostname=carter
+ [ carter = localhost ]
+ [ carter = ]
+ [ carter = testhost ]
+ [ NIM = NONIM ]
this doesn't help much, but it may be worth looking at.
Getting debug output from nsupdate and nsupdate8 from within the scripts:
edit the dhcpaction scripts and add a -v after the two instances of the nsupdate commands to get verbose output , and redirect the output to a file.
example of edited nsupdate command from /usr/sbin/dhcpaction:
/usr/sbin/nsupdate -v -q -s"r;d;ptr;*;a;ptr;$machname.;s;$leasetime;3110400;x;q" -r $ipaddr -p $primaryname >>/tmp/nsupdate.out
and
/usr/sbin/nsupdate -v -q -s"r;d;a;*;a;a;$ipaddr;s;$leasetime;3110400;x;q" -h $machname -p $primaryname >>/tmp/nsupdate.out
link to sample of nsupdate.out
For /usr/sbin/dhcpaction8 and /usr/sbin/dhcpremove8, make the nsupdate8 entries look like so:
/usr/sbin/nsupdate8 -d >>/tmp/nsupdate8.out 2>&1 <<- EOF
link to sample nsupdate8.out
BIG GOTCHA: dhcpremove(8) requires that the PTR record exist before any action is taken. If an A record is added, it is not possible to remove it until the PTR entry is added. I
always add and remove BOTH records with the commands.
The Procedure for testing is thus:
1. start the nameserver, check for errors in syslog, fix and repeat until no errors, or errors are acceptable
2. nslookup and list the zone to make sure the zone is loaded
3. run dhcpaction or dhcpaction8
4. use nslookup to list the name forward and back, continue if name is not listed:
5. put 'set -x' in the dhcpaction(8) script run the update again and check for errors
6. enable nsupdate(8) output with the -v or -d, run the update and check the output files for errors
Using nsupdate:
AIX 4.3.x provides /usr/sbin/nsupdate4 and /usr/sbin/nsupdate8. nsupdate4 is for named4 servers, and nsupdate8 is for named8 servers.
/usr/sbin/nsupdate is a link to /usr/sbin/nsupdate4 by default.
There are three ways to use nsupdate: interactively, redirect input to the command from a file, or from the comand line.
nsupdate4 interactively:
# nsupdate -h testbox -d lab.net -p carter
[00000001] --- NSUPDATE Utility ---
[00000001]
.Enter Action (Add,Delete,Exists,New,TTL,Send,Quit)
.> add
---
InitDDNSUpdate ...[00000001] ... succeeded ...
[00000001] ..rrtype (A,PTR,CNAME,MX,KEY,HINFO,TXT): a
[00000001] ....ip addr: 100.10.10.99
DDNSUpdate_A (Add 0x640a0a63) ...[00000001] succeeded
.[00000001]
.Enter Action (Add,Delete,Exists,New,TTL,Send,Quit)
.> send
[00000001] ..sig Expiration (secs from now, ENTER for 3600 (1 hour)):
[00000001] ..sig KEY pad (ENTER for default of 3110400 (36 days)):
DDNSSignUpdate ...Using key for hostname [testbox.lab.net] and primary name [carter]
[00000001] succeeded
.DDNSSendUpdate ...[00000001] succeeded
.[00000001]
.Enter Action (Add,Delete,Exists,New,TTL,Send,Quit)
redirecting input from a file:
create a file with contents like so:
nsupd.dat:
a
a
100.10.10.99
s
3600
3110400
q
then run nsupdate like so:
nsupdate -h testbox -d lab.net -p carter update add testhost.domain.com 86400 IN A 10.1.1.99
>
>update add 99.10.10.100.in-addr.arpa 86400 IN PTR testhost.lab.net
>
>update add cname.lab.net 86400 IN CNAME testhost.lab.net
>
adding and removing records via command line:
echo "update add testhost.domain.com 86400 IN A 10.1.1.99 n" |nsupdate8
echo "update add 99.3.2.1.in-addr.arpa 86400 IN PTR testhost.test.com n" |nsupdate8
echo "update add cname.lab.net 86400 IN CNAME testhost.test.com n" |nsupdate8
echo "update delete testhost.test.com IN A n" |nsupdate8
echo "update delete 99.3.2.1.in-addr.arpa IN PTR n" |nsupdate8
adding and removing with input from a file:
create a file with contents like so:
update add testhost.lab.net 86400 IN A 100.10.10.99
note: the blank line after the update entry.
then run nsupdate8 like so:
nsupdate8 -d
dhcpsd - Dynaimc Host Configuration Protocol Server Daemon
This is the server daemon that is mostly used to make dns updates. To configure dhcpsd to update the dns, two lines are added to the dhcpsd.cnf file by removing the comment
characters. Here are the two lines:
#updateDNS "/usr/sbin/dhcpaction '%s' '%s' '%s' '%s' PTR NONIM >>/tmp/updns.out 2>&1 "
#removeDNS "/usr/sbin/dhcpremove '%s' PTR NONIM >>/tmp/rmdns.out 2>&1 "
Note: If the server to be updated is running named8, then these lines need to be edited to call dhcpaction8 and dhcpremove8.
dhcpaction requires that the /etc/resolv.conf have a nameserver statement with the dynamic server's ipaddr
The last word: check for apars, and get the latest filestes.
bos.net.tcp.server.4.3.3.13 -- is known to be bad as far as nsupdate goes... get the latest fileset.