Project

General

Profile

Configuration » History » Version 2

Marc Dequènes, 2014-04-10 16:12

1 1 Marc Dequènes
h1. Logging
2
3
The following verbosity levels are available:
4
* quiet: display only errors
5
* normal: informative and warning, as well as errors
6
* verbose: everything above plus debug information
7
8
Logging is always done on console when using clients, and never on servers; verbosity can be adjusted in 'log/console_level'.
9
10
Logging to file can be done on servers and ddns-client if a log directory with proper permissions is given in 'log/path'.
11
12
h1. DNS
13
14
DDNS is used with Bind, so we currently cannot publish configuration example using another server but there's no reason it should not work with another software.
15
16
DDNS only works using TSIG; unsecure communication with the DNS server is not possible (and will not be implemented). To further improve security, your DNS server and DDNS services hostnames should be on a DNSSEC-secured zone and your resolvers on all involved machines should check DNSSEC information. The zone to be dynamically updated should also be DNSSEC-secured.
17
18
With Bind9 (bind9utils) you can create a keypair using:
19
<pre>
20
dnssec-keygen -a HMAC-SHA512 -b 512 -n USER <key-name>
21
</pre>
22
with <key-name> being the name of your configuration.
23
24
You need to create a key entry in your Bind configuration using the same exact name, like for example:
25
<pre>
26
key <key-name> {
27
  algorithm hmac-sha512;
28
  secret "<secret-key>";
29
}
30
</pre>
31
with <secret-key> being the space-separated two-part hash inside the '.key' file.
32
33
You can then allow this key to update a zone by adding in the zone block:
34
<pre>
35
allow-update { key <key-name>; };
36
</pre>
37
38
If you need more information, read the Bind manual.
39
40
h1. Webserver
41
42
This part of the configuration is needed for the server parts only.
43
44
DDNS was only tested using Apache Httpd, thus we can only provide configuration examples for this software but others should work too.
45
46
The server parts needs to run Ruby. This can be achieved very easily using a Passenger-enabled vhost (read the Phusion Passenger documentation).
47
48
The webserver needs to provide authentication because DDNS does not provide any way to handle accounts. In our installation we use a LDAP authentication provider with a custom objectClass for such accounts.
49
50
In order to check which DNS entries an account is allowed to modify, this provider must return a custom multi-valued field listing hostnames to be authorized. In Apache Httpd a provider can fetch extra data in addition to the uid, then available as _AUTHENTICATE_*_ environment variables to the script. You need to call this field 'ddnsHostname' (case is not important).
51
52
Here is our LDAP configuration as example:
53
<pre>
54
attributetype ( duckcorpAttributeType:32
55
  NAME 'ddnsHostname'
56
  DESC 'Dynamic DNS Hostname'
57
  EQUALITY caseIgnoreMatch
58
  SUBSTR caseIgnoreSubstringsMatch
59
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
60
objectclass ( duckcorpObjectClass:23
61
  NAME 'ddnsUser'
62
  SUP top AUXILIARY
63
  MUST ( ddnsHostname ) )
64
</pre>
65
And part of the ApacheHttpd configuration as example:
66
<pre>
67
<Location />
68
  AuthName "DDNS"
69
  AuthType Basic
70
  AuthBasicProvider ldap
71
  # export ddnsHostname attribute
72
  AuthLDAPUrl ldapi:///<base-dn>?uid,ddnsHostname?sub?(objectClass=ddnsUser)
73
  AuthLDAPBindDN <bind-dn>
74
  AuthLDAPBindPassword <bind-pw>
75
  AuthLDAPRemoteUserAttribute uid
76
  AuthLDAPDereferenceAliases never
77
  Require valid-user
78
</Location>
79
</pre>
80
(just fill-in <base-dn>, <bind-dn> and <bind-pw> with your own values)
81
82
h1. MyIP server
83
84
You don't need to configure anything.
85
86 2 Marc Dequènes
h1. MyIP client (ddns-myip [<iface>])
87 1 Marc Dequènes
88
You need to provide an 'url' for your MyIP service provider. You may also provide a 'proxy_url' if you cannot surf the Internet without a proxy.
89
90 2 Marc Dequènes
If you are multihomed, you might want to setup a DNS entry for each provider; in this case your can provide an interface name as command parameter. A default interface to use to find your main IP without having to provide an interface name every time can be specified in the 'default_interface' setting.
91
92 1 Marc Dequènes
h1. RegIP server
93
94
You need to provide 'regip.ns_server' which is the hostname of your DNS server.
95
96
You may provide the TTL used when creating DNS entries in 'regip/ttl'.
97
98
You also need to provide the path to your TSIG private key used to authenticate to your DNS server in 'regip/key_file'. The name of this file needs to be the unaltered name generated by the 'dnssec-keygen' command, and your public key must be available in the same directory.
99
100
h1. RegIP client (ddns-client)
101
102
You need to provide a 'regip/url' for your RegIP service provider. You may also provide a 'regip/proxy_url' if you cannot surf the Internet without a proxy.
103
104
You also need to provide a 'regip/passwd' to authenticate with your account.
105
106
Then comes the list of DNS entries you wish to configure, as keys in the 'profiles' hash. Each entry may specify an 'ipv4' and/or 'ipv6' entry. If you do not care about one of the protocol, just don't specify it and it will be ignored (meaning this entry will _never_ be altered).
107
108
Each ip field can have the following values:
109
* <ip>: a manually chosen IP
110
* none: which mean you do not want any associated IP (if such DNS entry exist, it will be deleted)
111
* auto: use MyIP to find your external IP
112 2 Marc Dequènes
113
If you are multihomed you may provide an 'interface' parameter in a profile to force using a specific provider.