Using rfc2136 clients for >1 hostname

jason0 · Jan 18, 2018, 7:46 AM

Hello,

I am presently using pfsense 2.3.5 with an older alix board. I do have a new sg1000 on its way so will be running 2.4.x shortly…

I have several internal web servers behind a nat ipv4 address, and haproxy working the inbound web requests to the servers.

I found the RFC 2136 clients part of dynamic dns and since I control the dns server (bind9), this makes me very happy.

So I have a configuration based on the howto example working. YAY!

Since I have 8 different web servers in my domain, it looks like I need 8 rfc 2136 clients: one per name needed.

Can I use the same key, or do I need to generate a separate key for each name? The BIND9 Administrator Reference Manual seems to imply yes, so I thought I would check.

Alternately, might there be a need to be able to have >1 name in an rfc 2136 client? This way, the rfc 2136 ciient "granularity" is at the domain level...

If I can use the same key, I probably have some edit suggestions for the rfc 2136 howto...

Thank you in advance for your time...

--jason

Gertjan · Jan 18, 2018, 7:55 AM

Hi,

I have two domain names, both having a sub domain pointing to the WAN IP my pfSEnse.
I'm using the same DNS key, the "XsOxpdGGtcvzkRd7v/63egW==" thing, for both zones on my bind9 DNS server (a dedicated server somewhere on the Internet).
Works well.

jason0 · Jan 18, 2018, 6:54 PM

Wow, That's great! I will play with it soon.

Here's a potentially related question: Are the dns keys stored in pfsense somewhere so that the acme package could access them?

–jason

jason0 · Jan 18, 2018, 6:59 PM

A further question: do you use the same keyname in the setup, or do you have two separate albeit identical keys defined in BInd?

I ask because the howto seems to imply the keyname must match the hostname, but if the keyname refers to the keyname defined on the bind server, then this would not be the case: hence I might have some documentation suggestions.

Also, do you know what changes if zone or user key is selected?

–jason

Gertjan · Jan 19, 2018, 9:18 AM

You are aware of the fact that this kind of functionality is setup ones, so it can run for ages ?

Also : all the answers must be here : https://tools.ietf.org/html/rfc2136 (and if not, the question was not related :))

You should create a key :

Put it in /etc/bind/named.conf.local :

key mykey{
	algorithm HMAC-MD5;
	secret "XsOxpERcvzkRd8v/63e41w==";
};

Same file, in the zone definition :

zone "home.my-domaine.tld" {
	type master;
	file "/etc/bind/zones/db.my-domaine.tld";
	update-policy { grant mykey name home.my-domaine.tld. A AAAA; };
	allow-transfer { "ns-internal-net"; };
	notify-source 188.188.57.81;
    notify explicit; 
};

Remember : do not edit the zone file db.my-domaine.tld without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

Use the key name "mykey" and secret "XsOxpERcvzkRd8v/63e41w==" in pfSense.

Done.

jason0 · Jan 19, 2018, 4:57 PM

@Gertjan:

Remember : do not edit the zone file db.my-domaine.tld without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

Boy Howdy that's the truth!

That's perfect, I appreciate it!

–jason