4. RFC2136 How-to: Setup dyndns/rfc2136 with dhcpd

4.1. Setting up dhcpd
4.2. Setting up PowerDNS

RFC2136 is often used with DHCP to automatically provide a hostname whenever a new IP-address is assigned by the DHCP server. This section describes how you can setup PowerDNS to receive RFC2136 updates from ISC's dhcpd (version 4.1.1-P1).

4.1. Setting up dhcpd

We're going to use a TSIG key for security. We're going to generate a key using the following command:

dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate

This generates two files (Kdhcpdupdate.*.key and Kdhcpdupdate.*.private). You're interested in the .key file:

# ls -l Kdhcp*
-rw------- 1 root root  53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
-rw------- 1 root root 165 Aug 26 19:29 Kdhcpdupdate.+157+20493.private

# cat Kdhcpdupdate.+157+20493.key
dhcpdupdate. IN KEY 0 3 157 FYhvwsW1ZtFZqWzsMpqhbg==

The important bits are the name of the key (dhcpdupdate) and the hash of the key (FYhvwsW1ZtFZqWzsMpqhbg==

Using the details from the key you've just generated. Add the following to your dhcpd.conf:

key "dhcpdupdate" {
        algorithm hmac-md5;
        secret "FYhvwsW1ZtFZqWzsMpqhbg==";
};

You must also tell dhcpd that you want dynamic dns to work, add the following section:

ddns-updates on;
ddns-update-style interim;
update-static-leases on;

This tells dhcpd to:

  1. Enable Dynamic DNS

  2. Which style it must use (interim)

  3. Update static leases as well

For more information on this, consult the dhcpd.conf manual.

Per subnet, you also have to tell dhcpd which (reverse-)domain it should update and on which master domain server it is running.

ddns-domainname "powerdnssec.org";
ddns-rev-domainname "in-addr.arpa.";

zone powerdnssec.org {
	primary 127.0.0.1;
	key dhcpdupdate;
}

zone 1.168.192.in-addr.arpa. {
	primary 127.0.0.1;
	key dhcpdupdate;
}

This tells dhcpd a number of things:

  1. Which domain to use (ddns-domainname "powerdnssec.org";)

  2. Which reverse-domain to use (dnssec-rev-domainname "in-addr.arpa.";)

  3. For the zones, where the primary master is located (primary 127.0.0.1;)

  4. Which TSIG key to use (key dhcpdupdate;). We defined the key earlier.

This concludes the changes that are needed to the dhcpd configuration file.

4.2. Setting up PowerDNS

A number of small changes are needed to powerdns to make it accept dynamic updates from dhcpd.

Enabled RFC2136 (dynamic update) support functionality in PowerDNS by adding the following to the PowerDNS configuration file (pdns.conf).

experimental-rfc2136=yes
allow-2136-from=

This tells PowerDNS to:

  1. Enable RFC2136 support(experimental-rfc2136)

  2. Allow updates from NO ip-address (allow-2136-from=)

We just told powerdns (via the configuration file) that we accept updates from nobody via the allow-2136-from parameter. That's not very useful, so we're going to give permissions per zone, via the domainmetadata table.

sql> select id from domains where name='powerdnssec.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-2136-FROM’,’127.0.0.1’);

This gives the ip '127.0.0.1' access to send update messages. Make sure you use the ip address of the machine that runs dhcpd.

Another thing we want to do, is add TSIG security. This can only be done via the domainmetadata table:

sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
sql> select id from domains where name='powerdnssec.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-2136', 'dhcpdupdate');
sql> select id from domains where name='1.168.192.in-addr.arpa';
6
sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-2136', 'dhcpdupdate');

This will:

  1. Add the 'dhcpdupdate' key to our PowerDNSinstallation

  2. Associate the domains with the given TSIG key

Restart PowerDNS and you should be ready to go!