[SOLVED] How to get dynamic DNS working?

Red Squirrel · 03-29-2022, 12:33 AM

I had this working before on another server but can't seem to get it working again on this newer server. Running Devuan 4 Chimaera.

I followed this tutorial:

http://www.btteknik.net/?p=143

Zone config:

Code:

#dynamic zones:
zone "example.com" IN { type master; file "/etc/bind/zones/example.com";

#allow-update {
#key ddns-key.example.com;
#127.0.0.1;
#};

update-policy {  grant ddns-key.example.com name example.com ANY;};

};




#dynamic zone keys:

key "ddns-key.example.com" {
        algorithm hmac-sha256;
        secret "[secret]";
};

But when I go to update I just get a badkey error.

Code:

;; TSIG PSEUDOSECTION:
ddns-key.example.com.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1648531231 300 0 21086 BADKEY 0

(example.com being my domain)

The way I update is a bit different as I'm trying to reuse a script from my previous server so maybe the commands or syntax changed? I don't quite understand the way they're doing it in that tutorial as they are referring to /etc/ddnsupdate.key which does not exist on my system and there's no indication as to what the file is suppose to be.

This is the relevant part of my update script:

Code:

echo "server 127.0.0.1" > .temp.txt
echo "zone example.com" >> .temp.txt
echo "key ddns-key.example.com [secret]" >> .temp.txt
echo "update delete dyn.example.com A" >> .temp.txt
echo "update add dyn.example.com 300 A ${CURIP}" >> .temp.txt
echo "send" >> .temp.txt

nsupdate -d .temp.txt
rm .temp.txt

If I type those commands manually I get the error too.

Though in the tutorial they do refer to a .key file... I don't have such a file? I just have the key inside the zone config, is there suppose to be another file to accompany it?

Also in the actual zone file, am I suppose to specify a A record with a dummy IP or leave it blank, for the subdomain I want to update? I tried with or without but it does not seem to make any difference. I got rid of the key stuff and doing IP based auth only and the update seems to work, ex: no errors, but it's not actually updating anything.

I might just make a script to edit the record file directly probably easier.

bathory · 03-29-2022, 04:57 PM

Quote:

But when I go to update I just get a badkey error.

;; TSIG PSEUDOSECTION:
ddns-key.example.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1648531231 300 0 21086 BADKEY 0

You should use the following notation for the key/secret pair:

Code:

echo "server 127.0.0.1" > .temp.txt
echo "zone example.com" >> .temp.txt
echo "key hmac-sha256:ddns-key.example.com [secret] >> .temp.txt
echo "update delete dyn.example.com A" >> .temp.txt
echo "update add dyn.example.com 300 A ${CURIP}" >> .temp.txt
echo "send" >> .temp.txt

nsupdate -d .temp.txt
rm .temp.txt

Quote:

Though in the tutorial they do refer to a .key file... I don't have such a file? I just have the key inside the zone config, is there suppose to be another file to accompany it?

It's not needed in your case as you provide the key in your script. The file is used when you run "nsupdate -k keyfile ...", i.e. you don't provide the key inside .temp.txt.

In any case you can create that file yourself and just make sure it's readable by the user that runs named.
Based on the tutorial you followed the file should contain:

Code:

key "ddns-key.myhost.example.com" {
  algorithm hmac-sha256;
  secret "lLeySmmWp2TrF0qSlSyblQOp7wTTNxWoDkFYUaTyGtk=";
};

Regards

Red Squirrel · 03-29-2022, 05:40 PM

Thanks that seems to have fixed the error! Odd that it worked before.

Now the only issue I'm having is it does not seem to actually be doing anything. Ex: when I resolve the sub domain I get nothing. If I specify a A record in the actual record file I will get that IP only, and not the one that got changed. Is there something I need to do in the record file to indicate that the entry is dynamic?

EDIT:

I think the issue is with apparmor. I get this error in the /var/log/messages log:

Code:

ted_mask="c" denied_mask="c" fsuid=108 ouid=108
Mar 29 17:57:55 server kernel: [2304942.807090] audit: type=1400 audit(1648591075.888:31): apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/zones/example.com.jnl" pid=15610 comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=108 ouid=108

How do I go about allowing that write to take place?

Red Squirrel · 03-29-2022, 08:10 PM

Ok I got it to work, it was multiple issues.

1: Apparmor rule was not set to allow writes to /etc/bind/zones (zones is folder I made)

Edited it /etc/apparmor.d/local/usr.sbin/named as follows:

Code:

/etc/bind/zones/* rw,

The zone config was also wrong. update-policy did not seem to work, used the allow-updates format instead:

Code:

allow-update {
key ddns-key.example.com;
127.0.0.1;
};

And lastly, I had to chmod 770 the zones folder so that it can write the jnl file.

So finally got it working. What a pain though, I wish they would document this better.