Create public/private key pair

dnssec-keygen is a tool in dnsutils on Debian. With it, I create a key pair.

The shell session is like this:

$ /usr/sbin/dnssec-keygen -T KEY -a RSASHA256 -b 2048 -n HOST www.gniibe.org.
Generating key pair.............................+++ ...........................................................+++
Kwww.gniibe.org.+008+34054

As a result, I have two files:

Kwww.gniibe.org.+008+34054.key
Kwww.gniibe.org.+008+34054.private

With the content of public key, I add following entry into zone file of gniibe.org

www KEY     512 3 8 (
            AwEAAbugHbwnxj5W3N4eOx9La5aswNrE3q4BEujhkgzX
            IFZN5JbPJfppNamL5+tZt/vtuAaAwv/iVynYWk29/NdW
            viCVJil8Op3GyqeKfN1PRildQ6qO6/GkYsuVub2mgwTQ
            SfYFUKiDP2JR6Y34rkGaEL8ZUTSCKIAOhug2JVprhhMm
            UEHWmXDGY/qW48YjBIwX78Pqsp2AxYQmtxjSFg4979kF
            NPUn5t7q8JBkxbEmG1KDAbKFRUqAI3/4kMx9w02pgQKV
            dlmazo8vo9Uw6BExnj573h0WJ6Tq/269K7ELbOAQA7eb
            LE6umb3y23norERGjQjcsKo8Jncc0WImIdbc0rc=
            ) ; key id = 34054

Note that we can divide the line using parenthesis.

I add following lines in named.conf

update-policy {
    grant www.gniibe.org. subdomain gniibe.org A TXT MX CNAME DNSKEY;
};

It could be following if you only update the entry of www.gniibe.org

update-policy {
    grant www.gniibe.org. name www.gniibe.org. A TXT;
    grant <keyname> name <hostname> A TXT;
};

nsupdate command line and input

I create a hook for DHCP. That's /etc/dhcp/dhclient-exit-hooks.d/upnp+nsupdate. In the file, I have following invocation of nsupdate

nsupdate -k Kwww.gniibe.org.+008+34054.private <<EOF
server 211.14.6.125
zone gniibe.org
update delete www.gniibe.org. A
update add www.gniibe.org. 600 A $external_ip
send
EOF

See UPnP and running a web service behind firewall for UPnP part of the file.

Further Readings

• DNS updates with SIG(0) key
• Secure dynamic DNS howto