147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// ---------------------------------------------------------------------------- 247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// Instructions for /etc/dnsextd.conf (this file) 447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// In most cases, you should not need to change these default options in 647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// the "options" section below. The dnsextd daemon will receive DNS packets 747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// on port 53, and forward them on as appropriate to BIND on localhost:5030. 847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// You need to edit the "zone" statement below to give the name of your 1047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// dynamic zone that will be accepting Wide-Area Bonjour DNS updates. 1147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 1247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// ---------------------------------------------------------------------------- 1347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 1447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// Instructions for /etc/named.conf 1547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 1647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// In /etc/named.conf you will need to modify the "options" section to 1747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// tell BIND to accept packets from localhost:5030, like this: 1847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 1947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// listen-on port 5030 { 127.0.0.1; }; 2047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 2147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// You also need a "zone" statement in /etc/named.conf to tell BIND the update 2247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// policy for your dynamic zone. For example, within a small closed private 2347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// network, you might allow anyone to perform updates. To do that, you just 2447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// permit any and all updates coming from dnsextd on the same machine: 2547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 2647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// zone "my-dynamic-subdomain.company.com." 2747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// { type master; file "db.xxx"; allow-update { 127.0.0.1; }; }; 2847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 2947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// On a machine connected to the Internet or other large open network, 3047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// you'll want to limit updates to only users with keys. For example, 3147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// you could choose to allow anyone with a DNS key on your server to 3247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// perform updates in your dynamic zone, like this: 3347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 3447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// key keyname. { algorithm hmac-md5; secret "abcdefghijklmnopqrstuv=="; }; 3547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// zone "my-dynamic-subdomain.company.com." in 3647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// { 3747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// type master; 3847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// file "db.my-dynamic-subdomain.company.com"; 3947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// update-policy { grant * wildcard *.my-dynamic-subdomain.company.com.; }; 4047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// }; 4147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 4247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// You could use a single key which you give to all authorized users, but 4347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// it is better (though more work) to create a unique key for each user. 4447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// 4547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// ---------------------------------------------------------------------------- 4647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt 4747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwaltoptions { 4847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// This defaults to: * port 53 4947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// listen-on port 53 { 192.168.2.10; 127.0.0.1; }; 5047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// This defaults to: 127.0.0.1:5030 5147e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// nameserver address 127.0.0.1 port 5030; 5247e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// This defaults to: 5533 5347e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// private port 5533; 5447e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// This defaults to: 5352 5547e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt// llq port 5352; 5647e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt}; 5747e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt 5847e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwaltzone "my-dynamic-subdomain.company.com." { 5947e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt type public; 6047e4cebad7397422144bb03a21f3f7682c062c4aRobert Greenwalt}; 61