Spent some time on this last night to do dynamic dns updates for my RoadRunner IP address, and to allow me to transfer my zones back to my house. Got everything working, it rocks! Mini-HOWTO: :::: Prereq's for both dynamic dns and zone axfr's :::: 1) Run Bind 9.1.3+ on both ends 2) Generate a key for each _client_: $ /usr/sbin/dnssec-keygen -a HMAC-MD5 -n HOST -b 512 test.example.com Ktest.example.com.+157+29718 3) Move the keys to <machine_name>.private / <machine_name>.key $ mv Ktest.example.com.+157+29718.key test.example.com.key $ mv Ktest.example.com.+157+29718.private test.example.com.private 4) Add the private key to your named.conf (make sure perms are 600): $ cat test.example.com.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: +qnJtcm5JntWnYzCYamurAJHiLI61DK4us0lsC4tYRVzgCXl+r69pi21r+GcZ2tXNxPCFCaKUpX4o4uXUVXe7g== Add the key to /etc/named.conf: key host.example.com. { algorithm hmac-md5; secret "4L92QzNp15zGjAO8I41o70YIK0nWSEF3ubkGjPvNdV8fEwkfjACX9zl0T8eTBPdOwMBYOqKayM2j8SRHh7xOoQ=="; }; (this has to come before any place where you might use it) :::: Dynamic DNS Updates :::: 1) give the user permission to update in /etc/named.conf: zone "example.com" { type master; file "example.com"; update-policy { grant admin.example.com. wildcard * ANY; grant test.example.com. name test.example.com. A; }; }; The top line allows anyone presenting the 'admin.example.com' key to be able to update everything in the example.com domain. The bottom line allows the 'test.example.com' key to update/delete a 'A' record for 'test.example.com', and nothing else. 2) make changes from your client! $ nsupdate -k test.example.com.private -d > update delete test.example.com. A > update add test.example.com. 1200 A 10.0.0.1 > <cr> ..will delete the 'A' record for test.example.com, and then create a new 'A' record for test.example.com with a TTL of 1200 pointing to 10.0.0.1. Cool, huh? I set up my DHCP scripts to handle this for me. :::: Secured Zone Transfers :::: 1) set up the server side all you need to do is add an 'allow-transfer { key test.example.com.; }; in named.conf for the zone you want to transfer. simple! 2) set up the client side You need to tell the client which key to present to the server. In named.conf: server 10.0.0.1 { keys { test.example.com.; }; }; .. will tell it to send the key for 'test.example.com' whenever communicating with the server at 10.0.0.1. Once that's added, just set up zone transfers as usual, they should work! Note, that this all came from playing, and I may have gotten some things very wrong. It also only does TSIG stuff, not the true DNSSEC stuff. I gotta stop and buy a copy of DNS and BIND rev 4. :) -- Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500