January 17th, 2010
This assumes you already have a DNS server setup that has a static IP, IE: a webserver that is also doing DNS(like mine). If you have a webserver but currently don’t host your own DNS, you can do a bit of research and set it up with in an hour or so. Anyways, that’s not what this how to is for. 
Get on your webserver
SSH into your webserver and su into root.
grep directory /etc/named.conf
cd into the directory displayed.
Create a dnssec key
<pre escaped="true">dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom subdomain.domain.com.
Make sure that you put the period at the end of your domain. The subdomain should be the name of your untangle box or whatever machine you’re trying to setup for ddns.
cat Ksubdomain.domain.com.+005+RANDOM#.key
replace RANDOM with whaterver the .key file has.
You should see something like this
subdomain.domain.com. IN KEY 512 3 157 UR4Bu3vzaTYUtmzQA4hJl6GzRwRhY9CoWS2V1ukF6nUfSt0vxKCsEoq6 WAuDCySzmPINAtSD/OjWJfgB5eAVsA==
We want the very long string. Make note of this for the next step. If it has a space in the string, you still want every bit after it. It threw me off when i had a space in it and i wasn’t sure what i needed until i tried the different combinations and fount that it was the whole string.
Edit the named.conf
We need to add a couple of things.
key "subdomain.domain.com." { algorithm hmac-md5; secret "UR4Bu3vzaTYUtmzQA4hJl6GzRwRhY9CoWS2V1ukF6nUfSt0vxKCsEoq6 WAuDCySzmPINAtSD/OjWJfgB5eAVsA=="; };
Now, under your zone (domain.com.) add the following
allow-update { key "subdomain.domain.com."; };
All done, now
/etc/init.d/bind9 reload
Now, SSH into your Untangle server
Copy the key’s from your webserver
scp -P 22 root@webserver.com:/var/named/Ksubdomain.domain.com.* .
/var/named = directory that we found out from your named.conf on your webserver
Create a file named ddupate
#!/bin/bash # Script to update DNS zones on a remote server # Copyright © 2005-2007 - Julien Valroff # Parts of the script Copyright © 2001-2002 - Dag Wieers KEY="/root/Kkeyname.+157+29630.private" SERVER="ns.domain.com" LOGFILE="/var/log/syslog" PPP_IFACE="ppp0" DOMAIN="domain.com." HOST="subdomain.domain.com." EMAIL="you@domain.com" if [ "$PPP_LOCAL" != '' ]; then if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \ address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1 exit 0 fi IPADDR=$PPP_LOCAL sleep 3 else IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }') fi ( cat <>$LOGFILE 2>&1 exit $RC
You will want to change the variables at the top to fit your needs.
Make this file executable
chmod +x ddupatePlace this file in
/etc/ppp/ip-up.d
Now execute it
/etc/ppp/ip-up.d/ddupdate
Check your syslogs for both servers. if you don’t have any errors that look like
; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADSIG)
You have successfully setup a ddns server Check your webservers DNS and make sure that the entry has been entered.
Everytime your IP changes (release and renew), this script should get ran. You could also run this in a cronjob.
Trouble shooting
In the ddupdate file you made you will see the commands executed in order to make the update possible. Preform these manually but add the -d option in nsupdate. This will add some extra information on what might be going on. In most cases it will either be a typo of the secret, both keys don live on the HOST machine or a permissions issue. I “chmod 664″ the dnssec key files on both servers.
resources and thanks go to:
http://www.kirya.net/articles/running-a-secure-ddns-service-with-bind/
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/
Just an FYI, that your ads should have a way to not be forced to click on them. You have a big ad that covers the top half of your article, and there’s no ‘x’ or close button when using mac osx / safari.
Major turn off to a site that looks like it holds some good gems of information.
Regards,
Charlie
Charlie,
I hope you revisit the site to see this as you didn’t list your E-Mail addy so that I could properly reply to you. What you were seeing was not an AD but a javascript written to block IE. I don’t know why you saw that as it appears you were using safari, so I will take a look at it.
I will also add in there that it is NOT an ad. I just believe that no one should be using IE of any version.
i am using firefox and don’t see an ad. hmm. well great article by the way.
@Server Rack: Ya, you wont if you use firefox. It’s not an AD either, I block all IE browsers and prompt to choose an alternative to download. I’m not sponsored or paid to do so. Try to view my site with IE and you’ll see what I’m talking about.