Configure the BIND Server

On the server in named.conf, add the following block:

include “/etc/namedb/dns.keys.conf”; zone “dyn.example.com” { type master; file “dynamic/dyn.example.com”; update-policy { grant *.dyn.example.com. self dyn.example.com. A AAAA; }; };

Then create the initial zone file. BIND requires read/write access to this file and the directory in which it resides so that the zone and its journal may be updated.

Warning: BIND will rewrite this zone file, which is why a subdomain is used in the example.

From there, create the zone file for the new dynamic zone, dynamic/dyn.example.com

Reload the named service using rndc reload or a similar command, and then if any slave name servers are in place, add a zone to those servers as well:

zone “dyn.example.com” { type slave; file “dynamic/dyn.example.com”; masters{ 192.0.2.5; }; };

For BIND 9.16+ create an entry using tsig-keygen:

# tsig-keygen -a hmac-md5 myhost.dyn.example.com key myhost.dyn.example.com. { algorithm hmac-md5; secret “/0/4bxF9A08n/zke/vANyQ==”; };

Add that key to dns.keys.conf manually or by redirecting command output:

# tsig-keygen -a hmac-md5 myhost.dyn.example.com >> /etc/namedb/dns.keys.conf

For BIND version < 9.16, follow the next steps.

On the master name server, make the keys directory:

# mkdir -p /etc/namedb/keys

And now generate a host key. The second line is the output of the command, not part of the command itself.

# /usr/sbin/dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn. ˓→example.com. Kmyhost.dyn.example.com.+157+32768

The output Kmyhost.dyn.example.com.+157+32768 is the first part of the filename for the key, it will append

.private to one file and .key to another. Both contain the same data in different formats. Now read the key from the new key file:

# /usr/bin/grep ^Key: /etc/namedb/keys/Kmyhost.dyn.example.com.+157+32768.private | / ˓→usr/bin/awk ‘{ print $2; }’ /0/4bxF9A08n/zke/vANyQ==

And then add that key to dns.keys.conf:

key myhost.dyn.example.com. { algorithm hmac-md5; secret “/0/4bxF9A08n/zke/vANyQ==”; };

This can be automated with a simple script, make-ddns-host.sh:

#!/bin/sh KEY_NAME=${1} KEY_DIR=/etc/namedb/keys KEYS_CONFIG=/etc/namedb/dns.keys.conf /bin/mkdir -p ${KEY_DIR} cd ${KEY_DIR} KEY_FILE_NAME=`/usr/sbin/dnssec-keygen -K ${KEY_DIR} -a HMAC-MD5 -b 128 -n HOST ${KEY_ ˓→NAME}.` KEY_TEXT=`/usr/bin/grep “^Key:” ${KEY_DIR}/${KEY_FILE_NAME}.private | /usr/bin/awk ‘{ ˓→print $2; }’` echo “key ${KEY_NAME}. {” >> ${KEYS_CONFIG} echo ”       algorithm hmac-md5;” >> ${KEYS_CONFIG} echo ”             secret \”${KEY_TEXT}\”;” >> ${KEYS_CONFIG} echo “};” >> ${KEYS_CONFIG} echo “Key for ${KEY_NAME} is: ${KEY_TEXT}“

After making the file, make it executable:

# chmod u+x make-ddns-host.sh

To use the script:

# ./make-ddns-host.sh mynewhost.dyn.example.com # rndc reload