Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

June 22 2015

pfSense: SLAAC+DHCPv6 prefix delegation

April 17 2015


January 01 2015

Play fullscreen
Happy New Year (GCal edition)

December 09 2014

Disabling SSL < TLS in Dovecot and Postfix
Merkel und das Internet

November 17 2014

Play fullscreen
Lollipop battery saver - reduced animations
[Bug watch] Erlang and SHA256 SSL certificates

September 30 2014

Play fullscreen
Intel. Srsly.

September 01 2014

Your ticket system needs more monitoring
Reposted bygoatpr0n goatpr0n

June 06 2014

Play fullscreen
Plötzlich Schafe
Reposted byiskremogvaffel iskremogvaffel

May 28 2014

Amazon and Hachette

April 07 2014

Play fullscreen

March 22 2014

Authenticating sudo with the SSH agent
img: embedded image

March 20 2014

0160 4e21

March 18 2014

Play fullscreen
Let's Titanrage

March 10 2014

Play fullscreen
Sorgenfreie Gefährdung

March 04 2014

Play fullscreen
Ganz besonders schlimm in der Mitte unterwegs
Play fullscreen
Warum von der Straße gehen?

February 22 2014


Amazon leads to spending, spending leads to gratification

Just saying.

[+] Processing    last30 	(  25 orders)... 	   1518.56 EUR
[+] Processing  months-6 	(  86 orders)... 	   3450.13 EUR
[+] Processing year-2014 	(  28 orders)... 	   1674.55 EUR
[+] Processing year-2013 	( 138 orders)... 	   3840.49 EUR
[+] Processing year-2012 	(  96 orders)... 	   1302.12 EUR
[+] Processing year-2011 	(  62 orders)... 	   2868.70 EUR
[+] Processing year-2010 	(  31 orders)... 	    890.68 EUR
[+] Processing year-2009 	(  23 orders)... 	   1030.52 EUR
[+] Processing year-2008 	(  16 orders)... 	    913.45 EUR
[+] Processing year-2007 	(   6 orders)... 	    456.43 EUR
[+] Processing year-2006 	(   2 orders)... 	     30.95 EUR
[+] Processing year-2005 	(   8 orders)... 	    152.38 EUR
[+] Processing year-2004 	(   9 orders)... 	    257.50 EUR
[+] Grand total (years only) 	( 419 orders)... 	  13417.77 EUR

Curious how you rate? Take a look at trehn's gist.

flattr this!

February 21 2014


Allowing your users to manage their DNS zone

You’ve been in this situation before. You’re being the host for a couple of friends (or straight out customers) whom you’re giving virtual machines on that blade server you’re likely renting from a hosting provider. You’ve got everything mostly set up right, even wrangled libvirt so that your users can connect remotely to restart and VNC their own machine (article on this is pending).

But then there’s the issue of allowing people to update the DNS. If you give them access to a zone file, that sort of works — but you’ve either got to give them access to the machine running the DNS server, or rig up some rather fuzzy and failure-prone system to transfer the zone files to where they’re actually useful. Both cases aren’t ideal.

So here’s how to do it right — by using TSIG keys and nsupdate. I assume you’re clever enough to replace obvious placeholder variables. If you aren’t, you shouldn’t be fiddling with this anyway.

The goal will be that users can rather simply use nsupdate on their end without ever having to hassle the DNS admin to enter a host into the zone file for them.

Generating TSIG keys

This a simple process; you need dnssec-keygen, which comes shippend with bind9utils, for example; you can install it without having to install bind itself, for what it’s worth. Then, you run:

# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST $username

For each user $username you want to give a key to. Simple as that. Be careful not to use anything else than HMAC-MD5, sadly enough, since that’s what TSIG wants to see.

You’ll end up with two files, namely K${username}+157+${somenumber}.{key,private}. .key contains the public key, .private contains the private key.

Server configuration

Simple define resp. modify the following sections in your named configuration:
  1. Define the key
    key "$username." {
      algorithm hmac-md5;
      secret $(public key - contents of the .key file);
  2. Allow the key to update the zone
    zone "some.zone.tld" {
            allow-update { key "$username."; };
TSIG support is officially experimental in PDNS; I’m only copypasting the instructions here, I haven’t checked them for correctness. All input examples manipulate the SQL backend.
  1. Set experimental-rfc2136=yes. If you do not change allow-2136-from, any IP can push dynamic updates (as with the BIND setup).
  2. Push the TSIG key into your configuration:
    > insert into tsigkeys (name, algorithm, secret) \
      values ('$username', 'hmac-md5', '$(public key)');
  3. Allow updates by the key to the zone:
    > select id from domains where name='some.zone.tld';
    > insert into domainmetadata (domain_id, kind, content) \ 
      values (X, 'TSIG-ALLOW-2136', '$username');
  4. Optionally, limit updates to a specific IP, X as above:
    insert into domainmetadata(domain_id, kind, content) \ 
      values (X, ‘ALLOW-2136-FROM’,’a.b.c.d/32’);
You’re probably getting ready to berate me anyway, elitist schmuck. Do it yourself.

Client usage

Ensure that you supply the private key file to your user. (They don’t need the public key.)

Using nsupdate on a client is a rather simple (if not entirely trivial) affair. This is an example session:

nsupdate -k $privatekeyfile
> server dns.your.domain.tld
> zone some.zone.tld.
> update add host.some.zone.tld. 86400 A
> show
> send

This will add host.some.zone.tld as an A record with IP to some.zone.tld.. You get the drift. The syntax is as you’d expect, and is very well documented in nsupdate(1).

You could also think about handing out pre-written files to your users, or a little script to do it for you, or handing out puppet manifests to get new machines to add themselves to your DNS.

Have fun.

flattr this!

Reposted bymetafnord metafnord
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!