Begin by configuring the DNS server so that it accepts dynamic updates to a particular zone and authenticates these updates using TSIG (Transaction Signature) keys.
TSIG keys are used to authenticate dynamic updates of the DNS server. Use the dnssec-keygen utility to create the public and private TSIG key files in the following format:
On a node in one of the peer clusters, log in as the root user, then open a terminal console.
Use the dnssec-keygen utility to create the public and private TSIG keys by entering
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST cluster_dns_name
The -a option specifies the cryptographic algorithm. For dynamic DNS, this must be HMAC‑MD5.
The -b options specifies the number of bits in the key. You should use the strongest encryption possible, which for HMAC-MD5 is 512.
The -n option is the name type. Because a computer is updating the DNS server, use the HOST name type.
Replace cluster_dns_name with the name of the host. For BCC, the cluster node that hosts the Novell Cluster Services Master IP Address resource updates the DNS server. Because this can be any node in the cluster, use the fully qualified name of the cluster as the host name.
For example, enter
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST cluster1.clusters.site1.company.com
This generates the public and private key files:
where 60303 represents a randomly generated number created by the utility.
Store these files in a secure location, then continue with Section E.2.2, Configuring the DNS Server with the Public Key.
The DNS administrator uses these keys to configure your master DNS server.
Modify the DNS Server configuration to use the public TSIG key you generated in Section E.2.1, Creating the TSIG Keys for DNS Server Authentication. You can place the public key information directly in the /etc/named.conf file, but it is more secure to place it in a separate location where the key file can be protected.
On the DNS Server, open a terminal console, then log in as the root user.
Open the /etc/named.conf file in a text editor, add the following line before the zone configuration, then save the changes:
include "keys.conf";
Go the /var/lib/named directory, then use a text editor to create a keys.conf file.
In the keys.conf file, create a section for each public key you need to add.
The format of the key section is:
key <cluster_dns_name>. {
algorithm <cryptographic algorithm>;
secret "<the public key secret>";
};
The cluster_dns_name is the same name you used when creating the key with the dnssec-keygen utility. This name is also found in the public key file that dnssec-keygen created.
The cryptographic algorithm must be HMAC-MD5.
The public key secret is the Base64-encoded secret found in the public key file that the dnssec-keygen utility created. You can copy and paste the secret from the public key file to the /var/lib/named/keys.conf fileTo continue our example, the key section for the /var/lib/named/keys.conf file might look like this:
key cluster1.clusters.site1.company.com. {
algorithm HMAC-MD5;
secret "SCUT8rIUoGByvcI1Iok7tY7YvcEaHaM3zusCxXmboBxVcJvUxr335HCg lXcDQRPrJrzIKQhH4dJ4cY10ebOJFw==";
};
Save the file.
Continue with Section E.2.3, Configuring the DNS Server Zones.
To configure the DNS zones to accept authorized DNS updates:
On the DNS server, open a terminal console, then log in as the root user.
Open the /etc/named.conf file in a text editor, then add the allow-update keyword and key in the zone configuration sections for regular lookups and reverse lookups.
For example, this is a sample zone section:
zone "clusters.site1.company.com" in { file "dyn/clusters.site1.company.com"; type master; allow-update { key cluster1.clusters.site1.company.com.; }; }; zone "1.1.10.in-addr.arpa" in { file "dyn/10.1.1.zone"; type master; allow-update { key cluster1.clusters.site1.company.com.; }; };
Save the changes.
Restart the DNS Server to make sure that the new configuration is imported.
Your DNS Server is now configured to accept secure dynamic updates.
Continue with Section E.2.4, Testing the DNS Server.
Before you continue to set up the BCC for dynamic DNS updating, verify that your DNS server accepts secure dynamic updates.
Install the bind-utils RPM on a Linux client computer.
Make sure that the Linux client computer is configured to use the DNS Server you want to test.
Alternately, you can force the dig utility to query a specific DNS Server.
Use the dig utility to perform baseline test on any server to view its current IP address.
Test Equipment |
Sample Value |
---|---|
DNS Server IP address |
10.1.1.172 |
Linux client computer |
wkstn1.clusters.site1.company.com |
FTP server (testing to see its IP address) |
10.1.1.215 ftp.clusters.site1.company.com |
For example, enter:
dig #10.1.1.172 ftp.clusters.site1.company.com
The output shows that the IP address for ftp.clusters.site1.company.com is 10.1.1.215:
; <<>> DiG 9.3.2 <<>> @10.1.1.172 ftp.clusters.site1.company.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;ftp.clusters.site1.company.com. IN A ;; ANSWER SECTION: ftp.clusters.site1.company.com. 10 IN A 10.1.1.215 ;; AUTHORITY SECTION: clusters.site1.company.com. 120 IN NS wkstn1.clusters.site1.company.com ;; ADDITIONAL SECTION: wkstn1.clusters.site1.company.com. 120 IN A 10.1.1.172 ;; Query time: 0 msec ;; SERVER: 10.1.1.172#53(10.1.1.172) ;; WHEN: Tue Aug 14 17:19:55 2008 ;; MSG SIZE rcvd: 98
Use the -x option for the dig utility to perform a baseline test to check the reverse lookup records in the DNS server by the IP address.
For example, enter
dig @10.1.1.172 -x 10.1.1.215
The output shows the DNS name for the FTP server is ftp.clusters.site1.company.com:
; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.215 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34957 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;215.1.1.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 215.1.1.10.in-addr.arpa. 10 IN PTR ftp.clusters.site1.company.com. ;; AUTHORITY SECTION: 1.1.10.in-addr.arpa. 120 IN NS wkstn1.clusters.site1.company.com.1.1.10.in-addr.arpa. ;; Query time: 0 msec ;; SERVER: 10.1.1.172#53(10.1.1.172) ;; WHEN: Tue Aug 14 17:32:11 2008 ;; MSG SIZE rcvd: 127
Securely copy to your home directory on the Linux client computer (such as /home/yourhomedir/) the public and private keys created in Section E.2.1, Creating the TSIG Keys for DNS Server Authentication.
These keys have filenames of the form K<name>.+157+<random number>.key (the public key) and K<name>.+157+<random number>.private (the private key).
Use the nsupdate utility to update an A record on the DNS server to change its IP address to 10.1.1.216.
nsupdate -v -k path_to_private_key_file
For example, enter
nsupdate -v -k /home/yourhomedir/Kcluster1.clusters.site1.company.com.+157+60303.private > server 10.1.1.172 53 > update delete ftp.clusters.site1.company.com. A > update add ftp.clusters.site1.company.com. 300 A 10.1.1.216 > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ftp.clusters.site1.company.com. 0 ANY A ftp.clusters.site1.company.com. 300 IN A 10.1.1.216 > send > quit
Use the nsupdate utility to update the PTR record used for reverse lookups.
For example, enter
nsupdate -v -k /home/yourhomedir/Kcluster1.clusters.site1.company.com.+157+60303.private > server 10.1.1.172 53 > update delete 215.1.1.10.in-addr.arpa PTR > update add 216.1.1.10.in-addr.arpa 300 PTR ftp.clusters.site1.company.com > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: 215.1.1.10.in-addr.arpa. 0 ANY PTR 216.1.1.10.in-addr.arpa. 300 IN PTR ftp.clusters.site1.company.com. > send > quit
Use the dig utility to verify that the changes made in Step 6 and Step 7 occurred on the DNS Server:
Use the dig utility with the DNS name to verify the IP address.
dig @10.1.1.172 ftp.clusters.site1.company.com ; <<>> DiG 9.3.2 <<>> @10.1.1.172 ftp.clusters.site1.company.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35080 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;ftp.clusters.site1.company.com. IN A ;; ANSWER SECTION: ftp.clusters.site1.company.com. 300 IN A 10.1.1.216 ;; AUTHORITY SECTION: clusters.site1.company.com. 120 IN NS wkstn1.clusters.site1.company.com. ;; ADDITIONAL SECTION: wkstn1.clusters.site1.company.com. 120 IN A 10.1.1.172 ;; Query time: 0 msec ;; SERVER: 10.1.1.172#53(10.1.1.172) ;; WHEN: Tue Aug 14 17:50:13 2008 ;; MSG SIZE rcvd: 98
Use the dig utility with the IP address to find the DNS name.
dig @10.1.1.172 -x 10.1.1.216 ; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.216 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14497 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;216.1.1.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 216.1.1.10.in-addr.arpa. 300 IN PTR ftp.clusters.site1.company.com. ;; AUTHORITY SECTION: 1.1.10.in-addr.arpa. 120 IN NS wkstn1.clusters.site1.company.com.1.1.10.in-addr.arpa. ;; Query time: 6 msec ;; SERVER: 10.1.1.172#53(10.1.1.172) ;; WHEN: Tue Aug 14 17:55:01 2008 ;; MSG SIZE rcvd: 127
Use the dig utility in a reverse lookup for the old IP address to make sure that it does not return an answer.
dig @10.1.1.172 -x 10.1.1.215 ; <<>> DiG 9.3.2 <<>> @10.1.1.172 -x 10.1.1.215 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49360 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;215.1.1.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 1.1.10.in-addr.arpa. 120 IN SOA wkstn1.clusters.site1.company.com. root.wkstn1.clusters.site1.company.com. 2007032716 10800 3600 604800 86400 ;; Query time: 0 msec ;; SERVER: 10.1.1.172#53(10.1.1.172) ;; WHEN: Tue Aug 14 17:55:07 2008 ;; MSG SIZE rcvd: 105
If your setup passes the tests in this section, continue with Section E.3, Configuring the Cluster Resources for Dynamic DNS.