IPv6 dynamic DNS services?
Benedikt Stockebrand
me at benedikt-stockebrand.de
Thu Mar 17 11:33:12 CET 2011
Hi Daniel and list,
Daniel Roesen <dr at cluenet.de> writes:
> Also keep in mind that this usually operates in a single DNS domain
> so you need per-RR authorization controls (BIND e.g. doesn't have
> that as far as I'm aware - I might be wrong).
BIND actually has, but last time I messed around with it I wound up
writing into a file included by named.conf (I'm not sure if that could
have been avoided, though).
In any case it is possible to allow TSIGs to update only a given name,
or a given RR type for a given name. For a lab grade/proof of concept
implementation, check out
http://www.benedikt-stockebrand.de/maketsigkey-1.0.2.tar.gz
http://www.benedikt-stockebrand.de/nsautoupdate-1.0.1.tar.gz
> Implementing a DNS UPDATE + TSIG client is a bigger effort than
> just the simple HTTP interfaces currently being used which just needs
> a slight modification.
Depends.
If you use a Un*x system, the nsautoupdate script mentioned above uses
the nsupdate binary included with BIND, or rather the BIND client side
binaries; so the implementation effort that way is negligible.
If you implement it in embedded systems, SSL should be *significantly*
more complex/costly than TSIG at least unless the embedded system
already includes SSL support for a web interface or such. Even
without strong crypto, HTTP/TCP is more complex than DNS/UDP. (And
comparing DNS+TSIG/UDP with non-SSL HTTP/TCP isn't exactly fair.)
Cheers,
Benedikt
--
Business Grade IPv6
Consulting, Training, Projects
Benedikt Stockebrand, Dipl.-Inform. http://www.benedikt-stockebrand.de/
More information about the ipv6-ops
mailing list