[nycbug-talk] VPN/Integrated Router Appliances

Miles Nordin carton at Ivy.NET
Sun Oct 15 21:51:07 EDT 2006 

>>>>> "hz" == Hans Zaunere <lists at zaunere.com> writes:

    hz> -- internal authoritative DNS server to provide internal
    hz> server naming for development servers, etc; company internet
    hz> facing authoritative DNS is handled elsewhere

I've been using dhcpd's TSIG dynamic update feature, and it seems to
work pretty well.

/etc/dhcpd.conf
-----8<-----
include "/usr/export/named/etc/dhcpd.key";
zone gypsy.th3h.inner.chaos. {
        primary 10.100.100.10;
        key dhcpd-key;
}
zone 100.100.10.in-addr.arpa. {
        primary 10.100.100.10;
        key dhcpd-key;
}
ddns-update-style interim;
ignore client-updates;
option domain-name "th3h.inner.chaos";

[...]
-----8<-----

/etc/rc.conf
-----8<-----
named=YES       named_chrootdir="/usr/export/named"
dhcpd=YES       dhcpd_flags="-q tlp2 tlp3 tlp4"
-----8<-----

(generate this file with 
  dnssec-keygen -a hmac-md5 -b 512 -n user -r /dev/urandom dhcpd-key
 then take the key out of Kdhcpd-key.+157+_____.private and put into 
 this format after 'secret')
/usr/export/named/etc/dhcpd.key
-----8<-----
key dhcpd-key {
        algorithm HMAC-MD5.SIG-ALG.REG.INT;
        secret ABCdefg1234==;
};
-----8<-----


make sure the 'dyn' directory is writeable by the named user.

/usr/export/named/etc/named.conf
-----8<-----
acl localhost6  { ::1/128; };
acl fw          { 192.168.0.0/16; 69.31.131.32/27; 2001:4830:2150::/48; localhost; localhost6; };
acl chaosvpn    { 10.0.0.0/8; };

include "/etc/dhcpd.key";

zone "100.100.10.in-addr.arpa." in {
        type master;
        file "dyn/10.100.100.inaddr";
        allow-query { fw; chaosvpn; };
        allow-update { key dhcpd-key; };
};

zone "gypsy.th3h.inner.chaos." in {
        type master;
        file "dyn/gypsy.th3h.inner.chaos.master";
        allow-query { fw; chaosvpn; };
        allow-update { key dhcpd-key; };
};
-----8<-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20061015/1ba0a095/attachment.bin>

More information about the talk mailing list