D.2 Configuring the DNS Server for Dynamic DNS

Begin by configuring the DNS server so that it accepts dynamic updates to a particular zone and authenticates these updates using TSIG (Transaction Signature) keys.

D.2.1 Creating the TSIG Keys for DNS Server Authentication

TSIG keys are used to authenticate dynamic updates of the DNS server. Use the dnssec-keygen utility to create the public and private TSIG key files in the following format:

  • K<cluster_dns_name>.+157+<random number>.key
  • K<cluster_dns_name>.+157+<random number>.private
  1. On a node in one of the peer clusters, log in as the root user, then open a terminal console.

  2. Use the dnssec-keygen utility to create the public and private TSIG keys by entering

    dnssec-keygen -a HMAC-MD5 -b 512 -n HOST cluster_dns_name

    The -a option specifies the cryptographic algorithm. For dynamic DNS, this must be HMAC‑MD5.

    The -b options specifies the number of bits in the key. You should use the strongest encryption possible, which for HMAC-MD5 is 512.

    The -n option is the name type. Because a computer is updating the DNS server, use the HOST name type.

    Replace cluster_dns_name with the name of the host. For BCC, the cluster node that hosts the Novell Cluster Services Master IP Address resource updates the DNS server. Because this can be any node in the cluster, use the fully qualified name of the cluster as the host name.

    For example, enter

    dnssec-keygen -a HMAC-MD5 -b 512 -n HOST cluster1.clusters.site1.company.com

    This generates the public and private key files:

    • Kcluster1.clusters.site1.company.com.+157+60303.key
    • Kcluster1.clusters.site1.company.com.+157+60303.private

    60303 represents a randomly generated number created by the utility.

  3. Store these files in a secure location.

    The DNS administrator uses these keys to configure your master DNS server.

  4. Continue with Section D.2.2, Configuring the DNS Server with the Public Key.

D.2.2 Configuring the DNS Server with the Public Key

Modify the DNS Server configuration to use the public TSIG key you generated in Section D.2.1, Creating the TSIG Keys for DNS Server Authentication. You can place the public key information directly in the /etc/named.conf file, but it is more secure to place it in a separate location where the key file can be protected.

  1. On the DNS Server, open a terminal console, then log in as the root user.

  2. Open the /etc/named.conf file in a text editor, add the following line before the zone configuration, then save the changes:

    include "keys.conf";
  3. Go the /var/lib/named directory, then use a text editor to create a keys.conf file.

  4. In the keys.conf file, create a section for each public key you need to add.

    The format of the key section is:

    key <cluster_dns_name>. {
      algorithm <cryptographic algorithm>;
      secret "<the public key secret>";
    };

    The cluster_dns_name is the same name you used when creating the key with the dnssec-keygen utility. This name is also found in the public key file that dnssec-keygen created.

    The cryptographic algorithm must be HMAC-MD5.

    The public key secret is the Base64-encoded secret found in the public key file that the dnssec-keygen utility created. You can copy and paste the secret from the public key file to the /var/lib/named/keys.conf file. To continue our example, the key section for the /var/lib/named/keys.conf file might look like this:

    key cluster1.clusters.site1.company.com. {
            algorithm HMAC-MD5;
            secret "SCUT8rIUoGByvcI1Iok7tY7YvcEaHaM3zusCxXmboBxVcJvUxr335HCg lXcDQRPrJrzIKQhH4dJ4cY10ebOJFw==";
    };
  5. Save the file.

  6. Continue with Section D.2.3, Configuring the DNS Server Zones.

D.2.3 Configuring the DNS Server Zones

To configure the DNS zones to accept authorized DNS updates:

  1. On the DNS server, open a terminal console, then log in as the root user.

  2. Open the /etc/named.conf file in a text editor, then add the allow-update keyword and key in the zone configuration sections for regular lookups and reverse lookups.

    For example, this is a sample zone section:

    zone "clusters.site1.company.com" in {
            file "dyn/clusters.site1.company.com";
            type master;
            allow-update {
                    key cluster1.clusters.site1.company.com.;
            };
    };
    
    zone "1.1.10.in-addr.arpa" in {
            file "dyn/10.1.1.zone";
            type master;
            allow-update {
                    key cluster1.clusters.site1.company.com.;
            };
    };
  3. Save the changes.

  4. Restart the DNS Server to ensure that the new configuration is imported.

    Your DNS Server is now configured to accept secure dynamic updates.

  5. Continue with Section D.2.4, Testing the DNS Server.

D.2.4 Testing the DNS Server

Before you continue to set up the BCC for dynamic DNS updating, verify that your DNS server accepts secure dynamic updates.

  1. Install the bind-utils RPM on a Linux client computer.

  2. Ensure that the Linux client computer is configured to use the DNS Server you want to test.

    Alternately, you can force the dig utility to query a specific DNS Server.

  3. Use the dig utility to perform a baseline test on any server to view its current IP address.

    Test Equipment

    Sample Value

    DNS Server IP address

    10.1.1.172

    Linux client computer

    wkstn1.clusters.site1.company.com

    FTP server (testing to see its IP address)

    10.1.1.215

    ftp.clusters.site1.company.com

    For example, enter:

    dig @10.1.1.172 ftp.clusters.site1.company.com

    The output shows that the IP address for ftp.clusters.site1.company.com is 10.1.1.215:

    ; <<>> DiG 9.3.2 <<>> @10.1.1.172 ftp.clusters.site1.company.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47449
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;ftp.clusters.site1.company.com.   IN      A
    
    ;; ANSWER SECTION:
    ftp.clusters.site1.company.com. 10 IN      A       10.1.1.215
    
    ;; AUTHORITY SECTION:
    clusters.site1.company.com. 120    IN      NS      wkstn1.clusters.site1.company.com
    
    ;; ADDITIONAL SECTION:
    wkstn1.clusters.site1.company.com. 120 IN  A       10.1.1.172
    
    ;; Query time: 0 msec
    ;; SERVER: 10.1.1.172#53(10.1.1.172)
    ;; WHEN: Tue Aug 14 17:19:55 2008
    ;; MSG SIZE  rcvd: 98
  4. Use the -x option for the dig utility to perform a baseline test to check the reverse lookup records in the DNS server by the IP address.

    For example, enter

    dig @10.1.1.172 -x 10.1.1.215

    The output shows the DNS name for the FTP server is ftp.clusters.site1.company.com:

    ; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.215
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34957
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;215.1.1.10.in-addr.arpa.       IN      PTR
    
    ;; ANSWER SECTION:
    215.1.1.10.in-addr.arpa. 10     IN      PTR     ftp.clusters.site1.company.com.
    
    ;; AUTHORITY SECTION:
    1.1.10.in-addr.arpa.    120     IN      NS      wkstn1.clusters.site1.company.com.1.1.10.in-addr.arpa.
    
    ;; Query time: 0 msec
    ;; SERVER: 10.1.1.172#53(10.1.1.172)
    ;; WHEN: Tue Aug 14 17:32:11 2008
    ;; MSG SIZE  rcvd: 127
  5. Securely copy the public and private keys created in Section D.2.1, Creating the TSIG Keys for DNS Server Authentication to your home directory on the Linux client computer (such as /home/yourhomedir/).

    These keys have filenames of the form K<name>.+157+<random number>.key (the public key) and K<name>.+157+<random number>.private (the private key).

  6. Use the nsupdate utility to update an A record on the DNS server to change its IP address to 10.1.1.216.

    nsupdate -v -k path_to_private_key_file

    For example, enter

    nsupdate -v -k /home/yourhomedir/Kcluster1.clusters.site1.company.com.+157+60303.private
    
    > server 10.1.1.172 53
    > update delete ftp.clusters.site1.company.com. A
    > update add ftp.clusters.site1.company.com. 300 A 10.1.1.216
    > show
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
    ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; UPDATE SECTION:
    ftp.clusters.site1.company.com. 0  ANY     A
    ftp.clusters.site1.company.com. 300 IN     A       10.1.1.216
    
    > send
    > quit
  7. Use the nsupdate utility to update the PTR record used for reverse lookups.

    For example, enter

    nsupdate -v -k /home/yourhomedir/Kcluster1.clusters.site1.company.com.+157+60303.private
    
    > server 10.1.1.172 53
    > update delete 215.1.1.10.in-addr.arpa PTR
    > update add 216.1.1.10.in-addr.arpa 300 PTR ftp.clusters.site1.company.com
    > show
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
    ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; UPDATE SECTION:
    215.1.1.10.in-addr.arpa. 0      ANY     PTR
    216.1.1.10.in-addr.arpa. 300    IN      PTR     ftp.clusters.site1.company.com.
    
    > send
    > quit
  8. Use the dig utility to verify that the changes made in Step 6 and Step 7 occurred on the DNS Server:

    1. Use the dig utility with the DNS name to verify the IP address.

      dig @10.1.1.172 ftp.clusters.site1.company.com
      
      ; <<>> DiG 9.3.2 <<>> @10.1.1.172 ftp.clusters.site1.company.com
      ; (1 server found)
      ;; global options:  printcmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35080
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; QUESTION SECTION:
      ;ftp.clusters.site1.company.com.   IN      A
      
      ;; ANSWER SECTION:
      ftp.clusters.site1.company.com. 300 IN     A       10.1.1.216
      
      ;; AUTHORITY SECTION:
      clusters.site1.company.com. 120    IN      NS      wkstn1.clusters.site1.company.com.
      
      ;; ADDITIONAL SECTION:
      wkstn1.clusters.site1.company.com. 120 IN  A       10.1.1.172
      
      ;; Query time: 0 msec
      ;; SERVER: 10.1.1.172#53(10.1.1.172)
      ;; WHEN: Tue Aug 14 17:50:13 2008
      ;; MSG SIZE  rcvd: 98
    2. Use the dig utility with the IP address to find the DNS name.

      dig @10.1.1.172 -x 10.1.1.216
      
      ; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.216
      ; (1 server found)
      ;; global options:  printcmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14497
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;216.1.1.10.in-addr.arpa.       IN      PTR
      
      ;; ANSWER SECTION:
      216.1.1.10.in-addr.arpa. 300    IN      PTR     ftp.clusters.site1.company.com.
      
      ;; AUTHORITY SECTION:
      1.1.10.in-addr.arpa.    120     IN      NS      wkstn1.clusters.site1.company.com.1.1.10.in-addr.arpa.
      
      ;; Query time: 6 msec
      ;; SERVER: 10.1.1.172#53(10.1.1.172)
      ;; WHEN: Tue Aug 14 17:55:01 2008
      ;; MSG SIZE  rcvd: 127
  9. Use the dig utility in a reverse lookup for the old IP address to ensure that it does not return an answer.

    dig @10.1.1.172 -x 10.1.1.215
    
    ; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.215
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49360
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;215.1.1.10.in-addr.arpa.       IN      PTR
    
    ;; AUTHORITY SECTION:
    1.1.10.in-addr.arpa.    120     IN      SOA  wkstn1.clusters.site1.company.com. root.wkstn1.clusters.site1.company.com. 2007032716 10800 3600 604800 86400
    
    ;; Query time: 0 msec
    ;; SERVER: 10.1.1.172#53(10.1.1.172)
    ;; WHEN: Tue Aug 14 17:55:07 2008
    ;; MSG SIZE  rcvd: 105
  10. If your setup passes the tests in this section, continue with Section D.3, Configuring the Cluster Resources for Dynamic DNS. Otherwise, go back to try again.