Configuration » History » Version 1
Marc Dequènes, 2014-04-02 01:27
1 | 1 | Marc Dequènes | h1. Logging |
---|---|---|---|
2 | |||
3 | The following verbosity levels are available: |
||
4 | * quiet: display only errors |
||
5 | * normal: informative and warning, as well as errors |
||
6 | * verbose: everything above plus debug information |
||
7 | |||
8 | Logging is always done on console when using clients, and never on servers; verbosity can be adjusted in 'log/console_level'. |
||
9 | |||
10 | Logging to file can be done on servers and ddns-client if a log directory with proper permissions is given in 'log/path'. |
||
11 | |||
12 | h1. DNS |
||
13 | |||
14 | DDNS is used with Bind, so we currently cannot publish configuration example using another server but there's no reason it should not work with another software. |
||
15 | |||
16 | DDNS only works using TSIG; unsecure communication with the DNS server is not possible (and will not be implemented). To further improve security, your DNS server and DDNS services hostnames should be on a DNSSEC-secured zone and your resolvers on all involved machines should check DNSSEC information. The zone to be dynamically updated should also be DNSSEC-secured. |
||
17 | |||
18 | With Bind9 (bind9utils) you can create a keypair using: |
||
19 | <pre> |
||
20 | dnssec-keygen -a HMAC-SHA512 -b 512 -n USER <key-name> |
||
21 | </pre> |
||
22 | with <key-name> being the name of your configuration. |
||
23 | |||
24 | You need to create a key entry in your Bind configuration using the same exact name, like for example: |
||
25 | <pre> |
||
26 | key <key-name> { |
||
27 | algorithm hmac-sha512; |
||
28 | secret "<secret-key>"; |
||
29 | } |
||
30 | </pre> |
||
31 | with <secret-key> being the space-separated two-part hash inside the '.key' file. |
||
32 | |||
33 | You can then allow this key to update a zone by adding in the zone block: |
||
34 | <pre> |
||
35 | allow-update { key <key-name>; }; |
||
36 | </pre> |
||
37 | |||
38 | If you need more information, read the Bind manual. |
||
39 | |||
40 | h1. Webserver |
||
41 | |||
42 | This part of the configuration is needed for the server parts only. |
||
43 | |||
44 | DDNS was only tested using Apache Httpd, thus we can only provide configuration examples for this software but others should work too. |
||
45 | |||
46 | The server parts needs to run Ruby. This can be achieved very easily using a Passenger-enabled vhost (read the Phusion Passenger documentation). |
||
47 | |||
48 | The webserver needs to provide authentication because DDNS does not provide any way to handle accounts. In our installation we use a LDAP authentication provider with a custom objectClass for such accounts. |
||
49 | |||
50 | In order to check which DNS entries an account is allowed to modify, this provider must return a custom multi-valued field listing hostnames to be authorized. In Apache Httpd a provider can fetch extra data in addition to the uid, then available as _AUTHENTICATE_*_ environment variables to the script. You need to call this field 'ddnsHostname' (case is not important). |
||
51 | |||
52 | Here is our LDAP configuration as example: |
||
53 | <pre> |
||
54 | attributetype ( duckcorpAttributeType:32 |
||
55 | NAME 'ddnsHostname' |
||
56 | DESC 'Dynamic DNS Hostname' |
||
57 | EQUALITY caseIgnoreMatch |
||
58 | SUBSTR caseIgnoreSubstringsMatch |
||
59 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
||
60 | objectclass ( duckcorpObjectClass:23 |
||
61 | NAME 'ddnsUser' |
||
62 | SUP top AUXILIARY |
||
63 | MUST ( ddnsHostname ) ) |
||
64 | </pre> |
||
65 | And part of the ApacheHttpd configuration as example: |
||
66 | <pre> |
||
67 | <Location /> |
||
68 | AuthName "DDNS" |
||
69 | AuthType Basic |
||
70 | AuthBasicProvider ldap |
||
71 | # export ddnsHostname attribute |
||
72 | AuthLDAPUrl ldapi:///<base-dn>?uid,ddnsHostname?sub?(objectClass=ddnsUser) |
||
73 | AuthLDAPBindDN <bind-dn> |
||
74 | AuthLDAPBindPassword <bind-pw> |
||
75 | AuthLDAPRemoteUserAttribute uid |
||
76 | AuthLDAPDereferenceAliases never |
||
77 | Require valid-user |
||
78 | </Location> |
||
79 | </pre> |
||
80 | (just fill-in <base-dn>, <bind-dn> and <bind-pw> with your own values) |
||
81 | |||
82 | h1. MyIP server |
||
83 | |||
84 | You don't need to configure anything. |
||
85 | |||
86 | h1. MyIP client (ddns-myip) |
||
87 | |||
88 | You need to provide an 'url' for your MyIP service provider. You may also provide a 'proxy_url' if you cannot surf the Internet without a proxy. |
||
89 | |||
90 | h1. RegIP server |
||
91 | |||
92 | You need to provide 'regip.ns_server' which is the hostname of your DNS server. |
||
93 | |||
94 | You may provide the TTL used when creating DNS entries in 'regip/ttl'. |
||
95 | |||
96 | You also need to provide the path to your TSIG private key used to authenticate to your DNS server in 'regip/key_file'. The name of this file needs to be the unaltered name generated by the 'dnssec-keygen' command, and your public key must be available in the same directory. |
||
97 | |||
98 | h1. RegIP client (ddns-client) |
||
99 | |||
100 | You need to provide a 'regip/url' for your RegIP service provider. You may also provide a 'regip/proxy_url' if you cannot surf the Internet without a proxy. |
||
101 | |||
102 | You also need to provide a 'regip/passwd' to authenticate with your account. |
||
103 | |||
104 | Then comes the list of DNS entries you wish to configure, as keys in the 'profiles' hash. Each entry may specify an 'ipv4' and/or 'ipv6' entry. If you do not care about one of the protocol, just don't specify it and it will be ignored (meaning this entry will _never_ be altered). |
||
105 | |||
106 | Each ip field can have the following values: |
||
107 | * <ip>: a manually chosen IP |
||
108 | * none: which mean you do not want any associated IP (if such DNS entry exist, it will be deleted) |
||
109 | * auto: use MyIP to find your external IP |