On 2014-03-21 23:09, Tom Hayward wrote:
On Fri, Mar 21, 2014 at 8:40 PM, Dean Gibson AE7Q <hamwan@ae7q.net> wrote:
...
Dean,
This is a really good question. DNS is an essential service for a network. It makes higher-level services much more useful (who wants to memorize IP addresses? Okay... other than me!). HamWAN plans to let you create *.hamwan.net hostnames. At the moment, the DNS servers are running (redundant, at multiple sites), but there's no user interface for people like you to add entries. Only a few records have been manually entered.
You have a user interface. If you are running ISC's BIND version 9,
in your master "named.conf" file, add the following clause to the
"zone" statement for "hamwan.net": update-policy
{ };
Then, once for each user, you just need to do (substitute the user's
callsign for ae7q):
- On a Linux system, run: dnssec-keygen
-a HMAC-MD5 -b 128 -n HOST ae7q
- Send the user a copy of the "Kae7q.+157.#####.key"
file. The user will use the key value in the radio's "/tool
dns-update ..." command (or equivalently, the Linux "nsupdate"
command) whenever the IP address needs to be updated. You'll
need to tell the user the IP address of the master DNS server
(probably a.ns.hamwan.net = 44.24.244.2, unless your A and B DNS
servers are slaves to a hidden master).
- In your master "named.conf" file, add the following line, using
the key value from the above file: key
"ae7q" {algorithm hmac-md5; secret "key
value..."; };
- In your master "named.conf" file, in the zone statement for
"hamwan.net", insert the following into the "update-policy"
clause: grant "ae7q"
subdomain "ae7q.hamwan.net";
- Reload BIND (named). On CentOS: service
named reload
This way, users will only be able to create/update DNS records of
the form "anything.<only-their-callsign>.hamwan.net".
-- Dean
ps: I've tested this on my own DNS servers. It's much better
than using the zone "allow-update" clause, because the latter
applies to a whole zone (which would mean creating a new zone for
each user ...).