os-rfc2136 - documentation?

[Tubs]

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

• Does the plugin check if an DNS update was successful?
• If DNS update was not successful, will the plugin do re-trials?
• How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
• If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.

[franco]

The RFC 2136 ist mostly curated for historic reasons. Like it's DynDNS counterpart it is not well documented and in need to a proper rewrite using MVC, but for RFC 2136 in particular we have no information about its user base that would make working on it a possibiility.

Long story short, the code is all there is. At least now as a plugin the code is easier to trace vs. when it was integrated into core.


Cheers,
Franco

[Tubs]

Thanks’ for the answer.


Abandoned and waiting for its death, is my interpretation of this explanation.
The user base might be limited to home users as this is the place where you can find dynamic IPs. But when you are running your own DNS server, dynamic IP update by rfc 2136 it is a great feature. In comparison to DynDNS There is no need for additional code or a full webserver on DNS server side.

A small improvement idea to increase the user base. Add some more words to the title of the plugin. I only found this feature by chance. As home user I was not aware about the meaning of “rfc 2136”. But “dynamic update” everybody can associate with a function.

[rcmcronny]

For the user base:  I use it also with my own DNS Setup

[Tubs]

For me, in the current version the plugin is not a reliable solution. Sometimes the plugin is reporting success but update was not done on DNS side. No second trial seems to be done.

I see potential in this plugin and I would be happy to see an improved version in the near future.

(PowerDNS does not support dynamic update by "simple command" over the API. And the API is to complex to get it integrated in OPNsense dyndns plugin. Therefore, I see the rfc 2136 method as best solution in combination with PowerDNS if you do not want to webserver + php only for dns update on the DNS server.)

[rcmcronny]

For me the plugin works reliable with my PDNS Server.

[Tubs]

Are you dining something special or are you using the plugin out of the box?

In my case it sometimes fails after reboot of OPNsense. After reboot I get a new IP and the plugin reports success. But no update done. For IP updated during running OPNsense I did not observed failures.

[rcmcronny]

Hmm, i have done nothing special. Plain Config out of the box.
I am using it on a german 1+1 VDSL (based on German Telekom VDSL). So i get every day a new ip mostly

[Tubs]

Do you get a new IP when you reboot the OPNsense box? This is the case for me as the OPN sense box also handles the PPPoE connection over the VDSL modem. And this is the situation I do have the issue with the rfc 2136 plugin. Normal IP updates are not so often. This seems to run fine.

[rcmcronny]

Yes, i do also use the pppoe of OPN sense and get a new ip, the update happens after that and to date seems to work correctly , every time i check it.

The vlan 7 tagging is done on the modem (draytek vigor 130 in my case), opnsense uses a dedicated ethernet interface without any tagging itself. But i don't think, this is causing this.
Best would be, to get more informations, on why its not updating as it should client and/or serverside if possible.
Perhaps you could rule out your dns server, if you test it with another service , i thought there was a rfc2136 service free of use somewhere, but i do not remember.
Ronny

Edit: i think it was: https://www.nsupdate.info/

[Tubs]

Also no VPN tagging on OPNsense for me.

Thank you.
I will check when I find some time.
At least good to know that in a similar set-up is is working somewhere else.

[lelik67]

There is no "Key algorithm" box. I need to put HMAC-SHA512.
Am I missing it (box) somehow, or  how should I proceed?

[rcmcronny]

Hi,

i have an old hmac-md5 key, and the tooltip mentions md5 only, but i would suggest, try it and give feedback, if it works or not  ?

Ronny

[lelik67]

Of course it does not work. Why even suggesting to try?
For nsupdate from bind-utils package you have to either use option -y algorithm:keyname:keyvalue or -k keyfilename option. I.e.
$ nsupdate -y hmac-sha512:keyname:keyvalue

or

$ nsupdate -k Kkeyname.+165+0316.private

$ cat Kkeyname.+165+0316.private
Private-key-format: v1.3
Algorithm: 165 (HMAC_SHA512)
Key: keyvalue
Bits: AAA=

[lelik67]

I fixed my local copy of pugins.inc.d/rfc2136.inc and it's now working for me with HMAC-SHA512.
The fix was to introduce $keyalgo variable hardcoded to "hmac-sha512" and to replace two key old format with one key new format generated key by tsig-keygen.

Is this plugin has an owner or at least a temporary caretaker, who is willing to add a dropdown menu "key algorithm" to services_rfc2136.php & services_rfc2136_edit.php? If yes, then rfc2136.inc could be easily modified to dynamically use whatever algorithm the user had chosen.

On a side note, I cannot find a crontab entry to check if ip has changed, let say every 1 hour.
Is it a bug or there is another mechanism to trigger the check?