Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using rfc2136 clients for >1 hostname

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 769 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jason0
      last edited by

      Hello,

      I am presently using pfsense 2.3.5 with an older alix board.  I do have a new sg1000 on its way so will be running 2.4.x shortly…

      I have several internal web servers behind a nat ipv4 address, and haproxy working the inbound web requests to the servers.

      I found the RFC 2136 clients part of dynamic dns and since I control the dns server (bind9), this makes me very happy.

      So I have a configuration based on the howto example working.  YAY!

      Since I have 8 different web servers in my domain, it looks like I need 8 rfc 2136 clients: one per name needed.

      Can I use the same key, or do I need to generate a separate key for each name?  The BIND9 Administrator Reference Manual seems to imply yes, so I thought I would check.

      Alternately, might there be a need to be able to have >1 name in an rfc 2136 client?  This way, the rfc 2136 ciient "granularity" is at the domain level...

      If I can use the same key, I probably have some edit suggestions for the rfc 2136 howto...

      Thank you in advance for your time...

      --jason

      1 Reply Last reply Reply Quote 0
      • GertjanG Online
        Gertjan
        last edited by

        Hi,

        I have two domain names, both having a sub domain pointing to the WAN IP my pfSEnse.
        I'm using the same DNS key, the "XsOxpdGGtcvzkRd7v/63egW==" thing, for both zones on my bind9 DNS server (a dedicated server somewhere on the Internet).
        Works well.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • J Offline
          jason0
          last edited by

          Wow, That's great!  I will play with it soon.

          Here's a potentially related question: Are the dns keys stored in pfsense somewhere so that the acme package could access them?

          –jason

          1 Reply Last reply Reply Quote 0
          • J Offline
            jason0
            last edited by

            A further question: do you use the same keyname in the setup, or do you have two separate albeit identical keys defined in BInd?

            I ask because the howto seems to imply the keyname must match the hostname, but if the keyname refers to the keyname defined on the bind server, then this would not be the case: hence I might have some documentation suggestions.

            Also, do you know what changes if zone or user key is selected?

            –jason

            1 Reply Last reply Reply Quote 0
            • GertjanG Online
              Gertjan
              last edited by

              You are aware of the fact that this kind of functionality is setup ones, so it can run for ages ?

              Also : all the answers must be here : https://tools.ietf.org/html/rfc2136 (and if not, the question was not related :))

              You should create a key :

              Put it in /etc/bind/named.conf.local :

              key mykey{
              	algorithm HMAC-MD5;
              	secret "XsOxpERcvzkRd8v/63e41w==";
              };
              
              

              Same file, in the zone definition :

              zone "home.my-domaine.tld" {
              	type master;
              	file "/etc/bind/zones/db.my-domaine.tld";
              	update-policy { grant mykey name home.my-domaine.tld. A AAAA; };
              	allow-transfer { "ns-internal-net"; };
              	notify-source 188.188.57.81;
                  notify explicit; 
              };
              

              Remember : do not edit the zone file db.my-domaine.tld without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

              Use the key name "mykey" and secret "XsOxpERcvzkRd8v/63e41w==" in pfSense.

              Done.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • J Offline
                jason0
                last edited by

                @Gertjan:

                Remember : do not edit the zone file db.my-domaine.tld without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

                Boy Howdy that's the truth!

                That's perfect, I appreciate it!

                –jason

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.