Neu*_*ter 5 domain-name-system bind ddns dynamic-dns nsupdate
我刚刚切换到bind9.9.5动态 DNS功能,具有 DNSSEC 条目的半自动管理,整个过程进行得很顺利,我的区域文件更新得很好,但现在我无法通过nsupdate工具更新或添加条目。
的/etc/bind/named.conf.local:
// 1
view "localhost_view" {
allow-query-on { 127.0.0.1; };
allow-query { localhost_acl; };
match-clients { localhost_acl; };
zone "somehost.tld" {
type master;
file "/etc/bind/db.somehost.tld_10";
};
zone "168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192.168.10";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 2
view "internal_10_view" {
allow-query-on { 192.168.10.1; };
allow-query { internal_10_acl; };
match-clients { internal_10_acl; };
zone "somehost.tld" {
type master;
file "/etc/bind/db.somehost.tld_10";
};
zone "168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192.168.10";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 3
view "internal_150_view" {
allow-query-on { 192.168.150.1; };
allow-query { internal_150_acl; };
match-clients { internal_150_acl; };
zone "somehost.tld" {
type master;
file "/etc/bind/db.somehost.tld_150";
};
zone "168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192.168.150";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 4
view "vpn_view" {
allow-query-on { 192.168.200.1; };
allow-query { vpn_acl; };
match-clients { vpn_acl; };
zone "somehost.tld" {
type master;
file "/etc/bind/db.somehost.tld_vpn";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 5
view "global_view" {
allow-query-on { 1.2.3.4; };
// match-clients { any; !localhost_acl; !internal_10_acl; !internal_150_acl; !vpn_acl; };
recursion no;
zone "somehost.tld" {
type master;
update-policy local;
auto-dnssec maintain;
file "/etc/bind/db.somehost.tld_global";
key-directory "/etc/bind/keys";
};
zone "26/4.3.2.1.in-addr.arpa" IN {
type master;
file "/etc/bind/db.rev";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
ACL:
acl localhost_acl {
127.0.0.0/8;
};
acl internal_10_acl {
192.168.10.0/24;
};
acl internal_150_acl {
192.168.150.0/24;
};
acl vpn_acl {
192.168.200.2;
192.168.200.5;
};
所以update-policy local;就在这里,/var/run/named/session.key成功生成并且用户bind可读,但是当我通过nsupdate -l(作为 root)执行添加命令时,我总是收到update failed: REFUSED错误(这里有调试消息):
root@somehost:/etc/bind# nsupdate -l -v -D
setup_system()
Creating key...
namefromtext
keycreate
reset_system()
user_interaction()
> ttl 46000
do_next_command()
> zone somehost.tld.
do_next_command()
> update add whatever.somehost.tld. A 1.1.1.1
do_next_command()
evaluate_update()
update_addordelete()
> send
do_next_command()
start_update()
send_update()
Sending update to 127.0.0.1#53
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15363
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;somehost.tld. IN SOA
;; UPDATE SECTION:
whatever.somehost.tld. 46000 IN A 1.1.1.1
;; TSIG PSEUDOSECTION:
local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 r2lt18dGihGnJepoUjvIKx8l5BPMohNJvsLoO+WQiBE = 15363 NOERROR 0
update_completed()
tsig verification successful
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 15363
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;somehost.tld. IN SOA
;; TSIG PSEUDOSECTION:
local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 Cnh9Tgg5vhKngPRk2J8n0wiRzdBLlQrp0F0qmfUotN8 = 15363 NOERROR 0
done_update()
reset_system()
user_interaction()
> quit
这是某种许可问题吗?怎么了?
终于想通了。感谢@Håkan Lindqvist的启发。
这些解决方案可能是特定于 Debian/Ubuntu 的,并没有在其他发行版中进行测试。
(使用update-policy local;)。
您实际上可以update-policy local;在/etc/bind/named.conf.local您想要的每个区域声明中使用指令,它限制来自 Internet 或 LAN 的更新请求以提高安全性。在这种情况下,密钥是自动生成的nsupdate,如果使用-l选项运行,将使用它。
相反的server X.X.X.X命令应该使用local X.X.X.X。如果它是系统本地的,它甚至接受公共 IP 作为参数!
注意:密钥不是世界可读的,所以使用sudo.
例子:
me@somehost:~$ sudo nsupdate -l
> local 1.2.3.4
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit
(使用ddns-confgen)。
我有很多的意见(localhost_view,global_view等),其中有一些共同的区域(somehost.tld在我的例子)。如果我想动态更新它们,我应该server X.X.X.X在 do 时使用command nsupdate。因此nsupdate将向适当的接口发送更新请求,适当的视图将处理它。
update-policy local;不适用于此配置,因为它禁止server在nsupdate. 因此需要生成一个 DDNS 密钥并在所有区域声明中指定它,这应该由nsupdate. 在 Debian 世界中,有一个ddns-confgen命令可以大大简化此任务:
me@somehost:~$ ddns-confgen
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key" {
algorithm hmac-sha256;
secret "pXohPnPR7dyri9ADfDLtSz+lHw/QliISyiEe0wg0a14=";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant ddns-key zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
此命令的输出非常具有自我描述性。这是需要添加key...代码段的/etc/bind/named.conf 和单独的文件使用任何名称和update-policy...代码插入每个zone申报,将由管理nsupdate。
要nsupdate在多视图 BIND 环境中正确使用工具,需要server在执行任何其他命令之前明确指定指令。因此,对于更新localhost_view的somehost.tld区域(考虑到key...片段已保存到/etc/bind/ddns-key.key),命令如下(注意server 127.0.0.1):
me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key
> server 127.0.0.1
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit
而操纵global_view的somehost.tld区中的命令基本上是相同的,但具有不同的server。在这种情况下,需要使用公共 IP(1.2.3.4在我的示例中):
me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key
> server 1.2.3.4
> zone somehost.tld
> update add something.somehost.tld. 86400 A 1.1.1.1
> send
> quit
因此,nsupdate将请求发送到适当的接口(可能是也可能不是本地接口)并且特定视图起作用。