[sf-lug] SF-LUG zones now using dynamic DNS

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Mar 11 01:23:54 PDT 2020 

For those that may be interested/curious,
The DNS master for the SF-LUG zones, is now using dynamic DNS
for the SF-LUG zones.

FYI, also, BALUG has something coming up on this later this month:
https://www.balug.org/#2020-03-17

Anyway, in addition to myself there are 3 other folks that
have full access to be able to edit SF-LUG's master DNS on the
DNS nameserver.

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> To: [REDACTED]
> Subject: SF-LUG DNS editors: SF-LUG zones now using dynamic DNS
> Date: Wed, 11 Mar 2020 00:37:46 -0700

> Dear SF-LUG DNS editors,
>
> (You are among those having access to change SF-LUG's master DNS data.)
> Please note that SF-LUG's DNS zones
> (sf-lug.org sflug.com sflug.net sflug.org sf-lug.net sf-lug.com)
> are now using/allowing dynamic DNS update to the zones,
> so the procedures for editing DNS necessarily changes a bit.
>
> Permissions/access via sudo(1) have also been adjusted accordingly.
>
> One may make DNS changes, either by:
> o dynamic DNS update, or
> o editing zone file - with some additional pre/post steps
>
> Using dynamic update.  The sudo access allows one to execute nsupdate as
> group bind, and with that group bind access, access the requisite key
> that can be used to edit those zones.
>
> Editing zone file.  To be reasonably assured that will work properly,
> (via sudo) use rndc freeze (on the specific zone) before editing the
> zone file, and after successfully editing the zone file, likewise
> use rndc thaw (on the specific zone, and again via sudo).
> To make things easier, I also coded up:
> /usr/local/bin/sudoeditzone
> /usr/local/bin/sudoeditzones
> (both those are same program and file)
> Those programs take argument(s) of the requisite zone(s),
> and handle the requisite pre/post steps, in addition to doing
> relevant checks.  (They're world readable, so one may certainly review
> them).
> Also note, that comments generally are no longer preserved, as dynamic
> DNS is in use - effectively comments will end up stripped, the data
> reformatted, and BIND9 will add its standard commenting on (some select
> bits of) the data.
>
> Let's give some examples:
>
> Using dynamic DNS update:
> $ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG
> [sudo] password for test:
>> update add fjh21kni.sflug.net. 300 IN A 127.0.0.1
>> update add fjh21kni.sflug.net. 300 IN A 127.0.0.2
>> send
>> $
> (entered a ^D after send and <ENTER>)
> $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
> fjh21kni.sflug.net.     300     IN      A       127.0.0.2
> fjh21kni.sflug.net.     300     IN      A       127.0.0.1
> $
>
> Using sudoeditzone to edit zone file (here we use ed rather that vi,
> to make it easier to see exactly what we do).
> Also, the zone serial numbers use (at least start with) seconds since
> the epoch - Unix time - so (GNU's) date +%s is very handy for that
> (and one added \ before % to prevent ed/vi/ex/vim/... from doing
> interpretation/substitution on the %):
> $ SUDO_EDITOR=ed sudoeditzone sflug.net
> 1018
> /fjh21kni
> fjh21kni                A       127.0.0.1
> s/\.1/.111/p
> fjh21kni                A       127.0.0.111
>
>                         A       127.0.0.2
> s/\.2/.222/p
>                         A       127.0.0.222
> 1
> $ORIGIN .
> /serial
>                                 1583906526 ; serial
> !date +\%s
> 1583909117
> !
> s/1583906526/1583909117/p
>                                 1583909117 ; serial
> w
> 1022
> q
> A zone reload and thaw was started.
> Check the logs to see the result.
> $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
> fjh21kni.sflug.net.     300     IN      A       127.0.0.222
> fjh21kni.sflug.net.     300     IN      A       127.0.0.111
> $
>
> And lastly, we again use dynamic update to delete our temporary demo
> records:
> $ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG
>> update delete fjh21kni.sflug.net. IN A 127.0.0.111
>> update delete fjh21kni.sflug.net. IN A 127.0.0.222
>> send
>> $
> (again we did a ^D following our send and <ENTER/RETURN>)
> $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
> $
>
> Also, one may note, ~root/bin/Named-checkconf
> It's essentially an "enhanced" version of (wrapper around) named-checkconf
> and runs relevant checks, and with relevant options/arguments.  Not also
> to be effective it needs to run as root (to be able to chroot and read
> relevant data, etc.).  It's also world readable, so one may view/inspect
> it to learn more.
>
> Want to learn more about dynamic DNS?
> In addition to relevant documentation, etc.,
> later this month, and BALUG:
> https://www.balug.org/#2020-03-17
>
> Use of:
> $ sudo -l
> may also be useful to review the commands one has access to with
> privilege.  I also give an example listing of that towards the end here
> (temporarily giving the "test" account that same sudo access for
> demonstration purposes).
>
> $ sudo -l | sed -ne '/may run/,$p'
> User test may run the following commands on balug-sf-lug-v2:
>     (root) /bin/su - root -c bin/Named-checkconf, /usr/sbin/rndc  
> sync sf-lug.org, /usr/sbin/rndc sync -clean sf-lug.org,  
> /usr/sbin/rndc freeze sf-lug.org, sudoedit  
> /etc/bind/master/sf-lug.org, /usr/sbin/rndc reload sf-lug.org,  
> /usr/sbin/rndc thaw sf-lug.org, /usr/sbin/rndc zonestatus  
> sf-lug.org, /usr/sbin/rndc notify sf-lug.org, /usr/sbin/rndc sync  
> sflug.com, /usr/sbin/rndc sync -clean sflug.com, /usr/sbin/rndc  
> freeze sflug.com, sudoedit /etc/bind/master/sflug.com,  
> /usr/sbin/rndc reload sflug.com, /usr/sbin/rndc thaw sflug.com,  
> /usr/sbin/rndc zonestatus sflug.com, /usr/sbin/rndc notify  
> sflug.com, /usr/sbin/rndc sync sflug.net, /usr/sbin/rndc sync -clean  
> sflug.net, /usr/sbin/rndc freeze sflug.net, sudoedit  
> /etc/bind/master/sflug.net, /usr/sbin/rndc reload sflug.net,  
> /usr/sbin/rndc thaw sflug.net, /usr/sbin/rndc zonestatus sflug.net,  
> /usr/sbin/rndc notify sflug.net, /usr/sbin/rndc sync sflug.org,  
> /usr/sbin/rndc sync -clean sflug.org, /usr/sbin/rndc freeze  
> sflug.org, sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc  
> reload sflug.org, /usr/sbin/rndc thaw sflug.org, /usr/sbin/rndc  
> zonestatus sflug.org, /usr/sbin/rndc notify sflug.org,  
> /usr/sbin/rndc sync sf-lug.net, /usr/sbin/rndc sync -clean  
> sf-lug.net, /usr/sbin/rndc freeze sf-lug.net, sudoedit  
> /etc/bind/master/sf-lug.net, /usr/sbin/rndc reload sf-lug.net,  
> /usr/sbin/rndc thaw sf-lug.net, /usr/sbin/rndc zonestatus  
> sf-lug.net, /usr/sbin/rndc notify sf-lug.net, /usr/sbin/rndc sync  
> sf-lug.com, /usr/sbin/rndc sync -clean sf-lug.com, /usr/sbin/rndc  
> freeze sf-lug.com, sudoedit /etc/bind/master/sf-lug.com,  
> /usr/sbin/rndc reload sf-lug.com, /usr/sbin/rndc thaw sf-lug.com,  
> /usr/sbin/rndc zonestatus sf-lug.com, /usr/sbin/rndc notify sf-lug.com
>     (test : bind) /usr/bin/nsupdate -l -k  
> /var/cache/bind/keys/ddns-key.SF-LUG
> $

More information about the sf-lug mailing list