[HamWAN PSDR] hamwan.net DDNS [was: hostname on ampr.org?]

Dean Gibson AE7Q hamwan at ae7q.net
Sun Mar 30 01:56:33 PDT 2014 

On 2014-03-21 23:09, Tom Hayward wrote:
> On Fri, Mar 21, 2014 at 8:40 PM, Dean Gibson AE7Q<hamwan at ae7q.net>  wrote:
>> ...
> Dean,
>
> This is a really good question. DNS is an essential service for a network. It makes higher-level services much more useful (who wants to memorize IP addresses? Okay... other than me!). HamWAN plans to let you create *.hamwan.net hostnames. At the moment, the DNS servers are running (redundant, at multiple sites), but there's no user interface for people like you to add entries. Only a few records have been manually entered.

You have a user interface.  If you are running ISC's BIND version 9, in 
your master "named.conf" file, add the following clause to the "zone" 
statement for "hamwan.net": update-policy {  };

Then, once for each user, you just need to do (substitute the user's 
callsign for /*ae7q*/):

 1. On a Linux system, run: dnssec-keygen -a HMAC-MD5 -b 128 -n HOST
    /*ae7q*/
 2. Send the user a copy of the "K/*ae7q*/.+157.#####.key" file.  The
    user will use the key value in the radio's "/tool dns-update ..."
    command (or equivalently, the Linux "nsupdate" command) whenever the
    IP address needs to be updated.  You'll need to tell the user the IP
    address of the master DNS server (probably a.ns.hamwan.net =
    44.24.244.2, unless your A and B DNS servers are slaves to a hidden
    master).
 3. In your master "named.conf" file, add the following line, using the
    key value from the above file: key "/*ae7q*/" {algorithm hmac-md5;
    secret "/key value.../"; };
 4. In your master "named.conf" file, in the zone statement for
    "hamwan.net", insert the following into the "update-policy" clause:
    grant "/*ae7q*/" subdomain "/*ae7q*/.hamwan.net";
 5. Reload BIND (named).  On CentOS: service named reload

This way, users will only be able to create/update DNS records of the 
form "anything.<only-their-callsign>.hamwan.net".

-- Dean

ps: I've tested this on my own DNS servers.  It's much better than using 
the zone "allow-update" clause, because the latter applies to a whole 
zone (which would mean creating a new zone for each user ...).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140330/417e1493/attachment.html>

More information about the PSDR mailing list