[nycbug-talk] VPN/Integrated Router Appliances
Miles Nordin
carton at Ivy.NET
Sun Oct 15 21:51:07 EDT 2006
>>>>> "hz" == Hans Zaunere <lists at zaunere.com> writes:
hz> -- internal authoritative DNS server to provide internal
hz> server naming for development servers, etc; company internet
hz> facing authoritative DNS is handled elsewhere
I've been using dhcpd's TSIG dynamic update feature, and it seems to
work pretty well.
/etc/dhcpd.conf
-----8<-----
include "/usr/export/named/etc/dhcpd.key";
zone gypsy.th3h.inner.chaos. {
primary 10.100.100.10;
key dhcpd-key;
}
zone 100.100.10.in-addr.arpa. {
primary 10.100.100.10;
key dhcpd-key;
}
ddns-update-style interim;
ignore client-updates;
option domain-name "th3h.inner.chaos";
[...]
-----8<-----
/etc/rc.conf
-----8<-----
named=YES named_chrootdir="/usr/export/named"
dhcpd=YES dhcpd_flags="-q tlp2 tlp3 tlp4"
-----8<-----
(generate this file with
dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/urandom dhcpd-key
then take the key out of Kdhcpd-key.+157+_____.private and put into
this format after 'secret')
/usr/export/named/etc/dhcpd.key
-----8<-----
key dhcpd-key {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret ABCdefg1234==;
};
-----8<-----
make sure the 'dyn' directory is writeable by the named user.
/usr/export/named/etc/named.conf
-----8<-----
acl localhost6 { ::1/128; };
acl fw { 192.168.0.0/16; 69.31.131.32/27; 2001:4830:2150::/48; localhost; localhost6; };
acl chaosvpn { 10.0.0.0/8; };
include "/etc/dhcpd.key";
zone "100.100.10.in-addr.arpa." in {
type master;
file "dyn/10.100.100.inaddr";
allow-query { fw; chaosvpn; };
allow-update { key dhcpd-key; };
};
zone "gypsy.th3h.inner.chaos." in {
type master;
file "dyn/gypsy.th3h.inner.chaos.master";
allow-query { fw; chaosvpn; };
allow-update { key dhcpd-key; };
};
-----8<-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20061015/1ba0a095/attachment.bin>
More information about the talk
mailing list