It's nice to have DNS records for all of your computers. It's a giant pain in the ass to remember IP addresses, especially if you're on something like a cable connection, where the IP address is dynamic (but only changes every month or two). Now, you could go ahead and use DynDNS or No-IP or something. But those are lame. You have to use a subdomain of one of their domains, and you have to use their software to update. You might be wondering if there's a better way. Well, there is. Standard DNS supports updating, it turns out. In BIND, this is managed through the allow-update parameter. I had some free time this week after I finished finals, so I went ahead and set it up, along with the other trimmings required for Wide-Area Bonjour. It's cool, so I thought I'd post a bit.
The most important resource for all of this stuff is dns-sd.org.
Aside from a couple of minor errors that I corrected and an update for
OS X 10.5+, this Tip will be based off of the guides from that site. So
credit to them.
Okay, so we're going to start with the server-side setup. Click here for the DNS-SD peoples' instructions, which we'll be following. In fact, there are only two issues with their instructions:
- You need to make a HOST key with dnssec-keygen, not a ZONE key. You're not even allowed to make a HMAC-MD5 ZONE key. You could also try making an RSA key (instead of an HMAC-MD5 key), but then OS X would probably complain when you tried to set up auto-updating. This isn't a major issue — just change ZONE to HOST under the "Shared Secrets" section.
dnsextd doesn't seem to work on Unix. I downloaded mDNSResponder version 212.1 from Apple's open source site (well, actually, from a mirror here) and it built okay. The first exciting bug that I noticed is that it segfaults if you don't install the configuration file into /etc/dnsextd.conf. Error-checking is for sissies, right?
Once you get the configuration file installed, it still doesn't seem to work. The parser barfs at all of the things in the options section (listen-on, etc), and I can't figure out how to give it the DNSSEC key so that it can actually do, you know, dynamic updates (no, it doesn't actually take a -k flag like the guide says). Anyhow, without that, it seems to be failing when trying to connect to BIND. But I can't really tell, because it doesn't give any useful errors. Just “ConnectToServer: failed” (which is from line 477 of DNSShared/dnsextd.c, if you're interested). Now, dnsextd isn't strictly necessary for this to work. But I was looking forward to Long-Lived Queries…
I might try again during break, using an older version of dnsextd. Maybe it'll correspond better to the instructions. If so, I'll post an update.
(this only applies if you're on Debian) Debian, by default, doesn't give the user that bind runs as permission to write the bind configuration directory, /etc/bind. This is probably a good thing from a security perspective. Unfortunately, if you want to have update-able records, this doesn't really work. So I went ahead and gave the bind user write permission on /etc/bind. I know, it's sad, and bad for security. I'll let you know if I find a better way (which will probably be to put this zone file into its own directory, and at least safeguard the rest of my config).
If you can get through the linked tutorial (with the above additions), you ought to have a working BIND server to do dynamic updates on. Cool. But how to test it? You could write a simple little Perl app to run it. Or you could use OS X, which has built-in support for this as part of Wide-Area Bonjour, a technology that applies Apple's Bonjour local zero-configuration network stuff to the Internet. Essentially, it's just dynamic DNS plus SRV records. But it's still cool.
My first advice if you're going to use this with OS X is to NOT use the instructions at dns-sd.org. They might be great for 10.4, but there's no reason to be installing extra pref panes on 10.5 or 10.6. Do note that you can just add a new search domain if you want to view the contents of the dynamic zone, though. As to setting up write, well, it's pretty simple:
- Open System Preferences
- Click Sharing
- Click Edit under the Computer Name box
- Check off Use dynamic global hostname
- Type in the desired hostname in the Hostname box
- Put the name of the key you created on the server in the User box (in the example, bonjour.example.com)
- Put your DNSSEC key in the Password box
- Check off Advertise services in this domain using Bonjour if you want to publish SRV records
- Click OK
Congratulations! You are now using Dynamic DNS and Wide-Area Bonjour!