=======================================
FreeBSD 14 bind9 ddns
=======================================

How to setup ddns for updating clients over the internet.

Prerequisites are a working named server and a web server to install the php script.


=======================================
/usr/local/etc/namedb/example.com.key
---------------------------------------

tsig-keygen -a sha512 example.com.key > /usr/local/etc/namedb/example.com.key

ls -l /usr/local/etc/namedb/example.com.key             <---- 644


=======================================
/usr/local/etc/namedb/named.conf.zones
---------------------------------------

include "/usr/local/etc/namedb/example.com.key";

zone "example.com" IN {
        type primary;
        file "/usr/local/etc/namedb/dynamic/db.example.com";
        allow-update {
                key example.com.key;
        };
};


=======================================
/usr/local/etc/namedb/dynamic/db.example.com
---------------------------------------

$TTL 3m
@               IN SOA  ns1.example.com. root.example.com. (
                        1               ; Serial Number
                        10800           ; Refresh after  3 hours
                        3600            ; Retry after    1 hour
                        604800          ; Expire after   1 week
                        86400           ; Minimum TTL of 1 day
                )
@                       NS              ns1.example.com.
ns1                     A               99.99.99.99


=======================================
/tmp/foo
---------------------------------------

server 127.0.0.1
zone example.com
update delete dynamo.example.com. A
update add dynamo.example.com. 2 A 10.10.10.101
show
send


=======================================
test command line
---------------------------------------

named-checkconf

rndc reload

nslookup dynamo.example.com

nsupdate -k /usr/local/etc/namedb/example.com.key /tmp/foo

nslookup dynamo.example.com


=======================================
/path/to/site/testddnsupdate.php
---------------------------------------

<?php

// this script is only a bare essentials example for testing
// you might add an update-policy grant/deny to your zone config to restrict what record types can be updated
// you should create your own script with security such as user validation and hostname association for multiple domain keys

$hostname   = 'mylaptop';
$domain     = 'example.com';
$ip         = $_SERVER['REMOTE_ADDR'];
$key        = '/usr/local/etc/namedb/'.$domain.'.key';

$data       = 'server 127.0.0.1
update delete '.$hostname.'.'.$domain.'. A
update add    '.$hostname.'.'.$domain.'. 2 A '.$ip.'
send
';

exec('echo "'.$data.'" | /usr/local/bin/nsupdate -k '.$key, $out, $ret);

if($ret) {
  print('fail');
} else {
  print('success. check nslookup '.$hostname.'.'.$domain);
}

?>


=======================================
/path/to/apache/auth/passwd
---------------------------------------

htpasswd /path/to/apache/auth/passwd username
echo "ddnsgroup: username" >> /path/to/apache/auth/group


=======================================
/path/to/apacche/config
---------------------------------------

<Directory "/path/to/htdocs">
  AuthType Basic
  AuthUserFile /path/to/apache/auth/passwd
  AuthGroupFile /path/to/apache/auth/group
  Require group ddnsgroup
</Directory>

---------------------------------------

apachectl graceful

---------------------------------------

https://ns1.example.com/testddnsupdate.php


=======================================
~/.netrc
---------------------------------------

machine ns1.example.com
login username
password secret

---------------------------------------

chmod 600 ~/.netrc

curl --netrc https://ns1.example.com/testddnsupdate.php

crontab -e
:::
* * * * * curl --netrc https://ns1.example.com/testddnsupdate.php
:::

=======================================
references
---------------------------------------

https://man.freebsd.org/cgi/man.cgi?query=named
https://man.freebsd.org/cgi/man.cgi?query=named.conf
https://man.freebsd.org/cgi/man.cgi?query=nsupdate
https://man.freebsd.org/cgi/man.cgi?query=tsig-keygen


=======================================
done
=======================================