Bind and dhcp (rndc)

Started by Hilbert, February 10, 2021, 02:10:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 10, 2021, 02:10:27 PM
Hi,

My first post here. I did a search and could not find a satisfying answer ;-)

My problem, I don't like unbound dns and dnsmasq. Because of the lack of a cname.
- Unbound knows aliases, but after a query it gives a random alias back (that is what I have seen)
- dnsmasq something along the same lines.

bind has this posibility and is working in the 21.0 release.

My problem is that rndc is generated by the bind plugin, but the dhcp userinterface does not give the posibiliy to include that at the appropriate position:

Code Select
include "/etc/dhcp/rndc-keys/rndc.key"; 
     
zone somedomain.com. { 
  primary 172.31.30.5; 
  key rndc-key; 

   
zone 30.31.172.in-addr.arpa. { 
  primary 172.31.30.5; 
  key rndc-key; 



This part can, at this point not be done. Because it is not a "sub" zone/network.

Is there a way to add this to the user interface, or is there a way to do it by hand and is it not removed by an update when you change it in the gui... some sort of "super adcanced" options ;-)

Something like:
Code Select

[ ] use rndc key (bind plugin is obligated)

Zone include:
[ text box:
zone somedomain.com. {
  primary 172.31.30.5;
  key rndc-key;
}
]

Reverse zone include:
[ text box:
zone 30.31.172.in-addr.arpa. {
  primary 172.31.30.5;
  key rndc-key;
}
]
[button: delete zone] |  [ button: add more zone's ]

Something like this would make it possible to use bind as primary dns server within your opnsense network.

Regards,
Hilbert
October 15, 2022, 04:55:16 AM #1
I have the same problem as Hilbert.

The auto generated rndc-key in rndc.conf (which we can not change via OPNsense UI) uses the hmac-sha256 algorithm.
OPNsense regular dhcpd service only offers hmac-md5 and hmac-sha512 which renders the dynamic DNS feature useless unless we can modify the algorithm and key.

I'm also questioning myself if manually modify the rndc.conf survives OPNsense Bind plugin updates or if we have to create a /usr/local/opnsense/service/templates/OPNsense/Bind target overlay for this file to make the key stable?
Print
Go Up Pages1
User actions