# DNS update support
To make your backend DNS update compatible, it needs to implement a number of new functions and functions already used for slave-operation. The new functions are not DNS update specific and might be used for other update/remove functionality at a later stage.
-``` {.programlisting}
+```
class DNSBackend {
public:
/* ... */
virtual bool listSubZone(const string &name, int domain\_id);
This method is needed for rectification of a zone after NS-records have been added. For DNSSEC, we need to know which records are below the currently added record. `listSubZone()` is used like `list()` which means PowerDNS will call `get()` after this method. The default SQL query looks something like this:
-``` {.programlisting}
+```
// First %s is 'sub.zone.com', second %s is '*.sub.zone.com'
select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d
```
## ALLOW-DNSUPDATE-FROM
This setting has the same function as described in the configuration options (See [above](#configuration-options)). Only one item is allowed per row, but multiple rows can be added. An example:
-``` {.programlisting}
+```
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’198.51.100.0/8’);
## TSIG-ALLOW-DNSUPDATE
This setting allows you to set the TSIG key required to do an DNS update. An example:
-``` {.programlisting}
+```
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='example.org';
5
An example of how to use a TSIG key with the **nsupdate** command:
-``` {.programlisting}
+```
nsupdate <<!
server <ip> <port>
zone example.org
## FORWARD-DNSUPDATE
See [Section 1, “Configuration options”](dnsupdate.html#dnsupdate-configuration "1. Configuration options") for what it does, but per domain.
-``` {.programlisting}
+```
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’);
An example:
-``` {.programlisting}
+```
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);
## Setting up dhcpd
We're going to use a TSIG key for security. We're going to generate a key using the following command:
-``` {.programlisting}
+```
dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate
```
This generates two files (Kdhcpdupdate.\*.key and Kdhcpdupdate.\*.private). You're interested in the .key file:
-``` {.programlisting}
+```
# ls -l Kdhcp*
-rw------- 1 root root 53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
-rw------- 1 root root 165 Aug 26 19:29 Kdhcpdupdate.+157+20493.private
Using the details from the key you've just generated. Add the following to your dhcpd.conf:
-``` {.programlisting}
+```
key "dhcpdupdate" {
algorithm hmac-md5;
secret "FYhvwsW1ZtFZqWzsMpqhbg==";
You must also tell dhcpd that you want dynamic dns to work, add the following section:
-``` {.programlisting}
+```
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
Per subnet, you also have to tell **dhcpd** which (reverse-)domain it should update and on which master domain server it is running.
-``` {.programlisting}
+```
ddns-domainname "example.org";
ddns-rev-domainname "in-addr.arpa.";
Enabled DNS update (RFC2136) support functionality in PowerDNS by adding the following to the PowerDNS configuration file (pdns.conf).
-``` {.programlisting}
+```
experimental-dnsupdate=yes
allow-dnsupdate-from=
```
We just told powerdns (via the configuration file) that we accept updates from nobody via the [`allow-dnsupdate-from`](settings.md#allow-dnsupdate-from) parameter. That's not very useful, so we're going to give permissions per zone, via the domainmetadata table.
-``` {.programlisting}
+```
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’127.0.0.1’);
Another thing we want to do, is add TSIG security. This can only be done via the domainmetadata table:
-``` {.programlisting}
+```
sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
sql> select id from domains where name='example.org';
5
As an example:
-``` {.programlisting}
+```
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='powerdnssec.org';
5
To ease interoperability, the equivalent configuration above in BIND would look like this:
-``` {.programlisting}
+```
key test. {
algorithm hmac-md5;
secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows:
-``` {.programlisting}
+```
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='powerdnssec.org';
5
In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements:
-``` {.programlisting}
+```
key test. {
algorithm hmac-md5;
secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
projects / pdns / commitdiff