BIND9

Berkeley Internet Name Domain

Official

Doc

TSIG

Transaction SIGnatures

Generating a Shared Key

# tsig-keygen <key name> > <key-name.key>
tsig-keygen ddns > /etc/bind/ddns.key

Add TSIG key to config

named.conf
# include "<key-path.key>";
include "/etc/bind/ddns.key";

Check config file

Check config file syntax

named-checkconf

Reload

Reload / Restart

rndc reload [<zone>]

Dynamic Update (RFC 2136)

Enable dynamic update

key "ddns" {
    algorithm hmac-sha256;
    secret "...";
}

# context: { options | view | zone }
allow-update {
    # Address Match List
    # [!] 10.0.0.1[/24]; ...

    # Allow update with TSIG Key
    key ddns;
};

Manual edit dynamic records

Ref: Why don't my zones reload when I do an "rndc reload"?

note

If dynamic update is enabled, rndc reload will not reload the zone file

Stop dynamic update
```
rndc freeze
```
Edit the zone file
Reload the zone file and start dynamic update
```
rndc thaw
```

Ref: Address Match List

Ref: Dynamic Update

Ref: RFC 2136

Update dynamic record

# nsupdate [-k <TSIG key file>]
nsupdate -k ddns.key

# server <DNS server IP address> [port]
> server ns1.example.com

# update add <name> <TTL time> <record type> <value>
> update add www.example.com. 3600 A 1.1.1.1

# update delete <name> <record type>
> update delete dns.example.com. A

# show what will be send
> show

> send

Re-transfer zone

Run on slave

# rndc retransfer <zone>
rndc retransfer example.org

TSIG​

Generating a Shared Key​

Add TSIG key to config​

Check config file​

Reload​

Dynamic Update (RFC 2136)​

Manual edit dynamic records​

Update dynamic record​

Re-transfer zone​