[Pdns-dev] Dynamic dns update support

John Reuning john at ibiblio.org
Thu Feb 21 16:05:11 CET 2013


Ruben,

Thanks again for the help.  "allow-2136-from=" seems to clear the
ACLs, and key-only auth works great.

In case anyone is interested, nsupdate works with either a bind-style
key config file (the -k option) or a key section in the nsupdate input
to powerdns.  One difference seems to be that bind accepts updates
without the zone section.  Powerdns refuses updates without it.  I
don't mind the requirement.  The spec has an RRset requirement but is
vague on whether a zone section must be present or not.

-John

On Thu, Feb 21, 2013 at 2:37 AM, Ruben d'Arco <cyclops at prof-x.net> wrote:
> Hi John,
>
> Indeed, you need to enable it. You might want to go into the pdns source folder $source/pdns/docs and type 'make'.
> This will create/build the documentation. There's a chapter on rfc2136 :-)
>
> What the docs will tell you is that there is also a global 'allow-2136-from' setting that allows you to filter who is able to send updates.
> The default is 0.0.0.0/0 which is everybody, so be aware of that!
> You can also use ALLOW-2136-FROM and/or TSIG-ALLOW-2136 in the domainmetadata table.
>
> Happy rfc2136'ing ;-)
>
> Regards,
>         Ruben
>
> On Wed, Feb 20, 2013 at 06:36:13PM -0500, John Reuning wrote:
>> Nevermind.  30 seconds after I sent the last email, I realized there
>> may be a config option to turn it on.  30 seconds after that, I found
>> experimental-rfc2136 in the code.  nsupdate is very happy now.
>>
>> Thanks,
>>
>> -John
>>
>> On Wed, Feb 20, 2013 at 6:30 PM, John Reuning <john at ibiblio.org> wrote:
>> > Ruben,
>> >
>> > The rfc2136 branch builds and seems to run with normal functionality.
>> > However, zone changes submitted via nsupdate result in a REFUSED
>> > error.  I tried setting loglevel=9 but don't see any debug output.
>> > Does your implementation work with nsupdate?
>> >
>> > Thanks,
>> >
>> > -John


More information about the Pdns-dev mailing list