Create public/private key pair
dnssec-keygen is a tool in dnsutils on Debian. With it, I create a key pair.
The shell session is like this:
$ /usr/sbin/dnssec-keygen -T KEY -a RSASHA256 -b 2048 -n HOST www.gniibe.org. Generating key pair.............................+++ ...........................................................+++ Kwww.gniibe.org.+008+34054
As a result, I have two files:
Kwww.gniibe.org.+008+34054.key Kwww.gniibe.org.+008+34054.private
With the content of public key, I add following entry into zone file of gniibe.org
www KEY 512 3 8 ( AwEAAbugHbwnxj5W3N4eOx9La5aswNrE3q4BEujhkgzX IFZN5JbPJfppNamL5+tZt/vtuAaAwv/iVynYWk29/NdW viCVJil8Op3GyqeKfN1PRildQ6qO6/GkYsuVub2mgwTQ SfYFUKiDP2JR6Y34rkGaEL8ZUTSCKIAOhug2JVprhhMm UEHWmXDGY/qW48YjBIwX78Pqsp2AxYQmtxjSFg4979kF NPUn5t7q8JBkxbEmG1KDAbKFRUqAI3/4kMx9w02pgQKV dlmazo8vo9Uw6BExnj573h0WJ6Tq/269K7ELbOAQA7eb LE6umb3y23norERGjQjcsKo8Jncc0WImIdbc0rc= ) ; key id = 34054
Note that we can divide the line using parenthesis.
I add following lines in named.conf
update-policy { grant www.gniibe.org. subdomain gniibe.org A TXT MX CNAME DNSKEY; };
It could be following if you only update the entry of www.gniibe.org
update-policy { grant www.gniibe.org. name www.gniibe.org. A TXT; grant <keyname> name <hostname> A TXT; };
nsupdate command line and input
I create a hook for DHCP. That's /etc/dhcp/dhclient-exit-hooks.d/upnp+nsupdate. In the file, I have following invocation of nsupdate
nsupdate -k Kwww.gniibe.org.+008+34054.private <<EOF server 211.14.6.125 zone gniibe.org update delete www.gniibe.org. A update add www.gniibe.org. 600 A $external_ip send EOF
See UPnP and running a web service behind firewall for UPnP part of the file.