Jump to first page
 -98
nYou can use TSIG or SIG0 to protect your dynamic updates
uDetailed howto at: Secure dynamic update HOWTO on ops.ietf.org
n
nSteps for TSIG dynamic update of forward tree:
uConfigure your TSIG key into /etc/dhclient.conf and specify the FQDN
u
uConfigure named.conf  to allow updates using the key
Using TSIG to protect dynamic updates
Laptop:/etc/dhclient.conf

send fqdn.fqdn "pinkje.secret-wg.org."; # what is my fqdn
send fqdn.encoded on;         # send in dns wire format
#send dhcp-lease-time 60;
send fqdn.server-update off;  # tell dhcp srv not to hack A

# tsig key shared with forward dns server
#

key pinkje.bert.secret-wg.org. {
    algorithm HMAC-MD5;
    secret
    "icÉ==";
};
# tell which key
#
zone secret-wg.org {
    primary 193.0.0.4;
    key pinkje.bert.secret-wg.org.;
}

Nameserver:/etc/named.conf:

zone "secret-wg.org" {
       type master;
       file "zones/secret-wg.org.signed";
       notify yes;

        allow-transfer { key tsig.secret-wg.org.; };
       update-policy {
       grant  pinkje.bert.secret-wg.org. name pinkje.secret-wg.org ;
       };
};