Description
This article describes how to use a DHCP server with Dynamic update of DNS records and with TSIG authentication.
Scope
In order to avoid DNS records exposure, all updates should use transactional signatures (TSIG). Transactional signatures are a method of cryptographically signing updates by using a shared secret key.
Solution
You have to generate a TSIG key in order to authenticate the DHCP server to the DNS server for dynamic updates. This is possible by using either the dnssec-keygen (BIND v9) or dnskeygen (BIND v8) commands. To generate a key with dnssec-keygen, using the HMAC-MD5 algorithm (mandatory for TSIG keys), and a key size of 128, use the following command:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-server.example.domain
This TSIG key is then placed in the '# config system dhcp server' settings like:
FGT3KD-1 # config system dhcp server
FGT3KD-1 (server) edit 1
FGT3KD-1 (1) set ddns-update enable
FGT3KD-1 (1) set ddns-update_override enable
FGT3KD-1 (1) set dns-server-ip 1.1.1.1 #ddns_server_ip address
FGT3KD-1 (1) set dns-zone example.domain #ddns_zone
FGT3KD-1 (1) set ddns-auth tsig
FGT3KD-1 (1) set ddns-key 'YrjNE9zKuIffBhQSC/4Tkg=='
Then it is necessary to configure your DNS named and the private key should be placed in the named.conf settings:
key dhcp-server.example.domain. {
algorithm hmac-md5;
secret "YrjNE9zKuIffBhQSC/4Tkg==";
};
Add an update-policy substatement to both the forward and reverse zones in the named.conf file:
zone "example.domain" {
type master;
file db.example.domain";
update-policy {
grant dhcp-server.example.domain. wildcard*. example.domain A TXT; };
};
zone 32.16.172.in-addr.arpa. {
type master; file "db.172.16.32";
update-policy {
grant dhcp-server.example.domain. wildcard *.16.32.172.in addr.arpa. PTR; };
};
Note: This does not work with secure DNS updates on Windows systems as windows uses GSS-TGIS protocol which does not support HMAC-MD5 algorithm.
Reference:
Related documents: