Bind + ISC dhcpd integration (for intranet split-horizon, etc)
Bjørn Mork
bjorn at mork.no
Thu Dec 17 03:56:30 EST 2020
Philip Prindeville <philipp_subx at redfish-solutions.com> writes:
> https://github.com/openwrt/packages/pull/14240
>
> The previous one is a precursor for getting Bind to start before DHCPD.
That makes more sense yes.
I looked at it briefly. A couple of notes without testing:
I would not have used a key named "rdnc"-anything for zone updates.
rndc is the remote management tool for BIND, and most users will
probably assume that a key with such a name is dedicated to restricting
rndc access.
And I would have defined a limited "update-policy" for each key/identity
instead of using "allow-update". You probably only want the DHCP server
to modify A records in the forward zone and PTR records in the reverse
zone.
Alternatively, you might want to consider "update-policy local" since
BIND and the DHCP server runs on the same host. This has the advantage
that only local clients are allowed to do updates. BIND will
automatically generate a HMAC-SHA256 session key named “local-ddns” and
store it in /var/run/named/session.key (These defaults can be adjusted
using session-keyfile, session-keyname, and session-keyalg options).
Just point the DHCP server to that file and key name.
Bjørn
More information about the openwrt-devel
mailing list