rimas-kudelis / dnsdusty Goto Github PK

Welcome to the DNSDusty program.

Setting up BIND for dynamic updates:

You'll need to set up BIND so that it accepts signed dynamic updates for your
zone. Here's an overview:

1) generate a key using tsig-keygen like this:

    % tsig-keygen DNSDusty > /etc/dnsdusty/dnsdusty.key

   this will create the key that will be used when signing zone update requests.

2) add this key to your named.conf file in a stanza like this:

   key "DNSDusty" {
       algorithm hmac-sha256;
       secret "rUnmCsAl8Q+fC0Td4Og5NrnyYyNARV+Hsy637/fNvAs=";
   };

3) For each zone that you want to manage with DNSDusty, add this keyname to
   both your 'allow-update' and 'allow-transfer' lists:

   zone "example.com" {
       type master;
       file "/etc/bind/db.example"
       allow-update { key DNSDusty; };
       allow-transfer { key DNSDusty; };
   }

4) reload named to make it see your new configuration.

Prerequisites:

DNSDusty requires the following non-standard perl modules:

   Net::DNS
   CGI::FormBuilder
   HTML::Template

Make sure these are installed prior to getting the software working.

Installing DNSDusty:

DNSDusty comes set up to be installed according to the Debian packaging
guidelines. The sources also come with an EPM listfile. If you have the EPM
program installed (see https://www.msweet.org/epm/), then you should be able to
package the software by running:

    % epm -v -f native dnsdusty

Once you generate the package, install it with your OS's installation tool.

You'll then need to modify the config file, which is by default:

/etc/dnsdusty/dnsdusty.conf.

Both the config file and the key file should only be writable by root, and only
readable by the user that your webserver runs as. Since it contains the key to
allow updates to your webserver, make sure that you secure it well, unless you
want the world to be able to update your server.

Setting up Apache:

DNSDusty doesn't have any authentication built in, so you'll need to secure it
at the webserver level. I use Apache2 for my webserver, and only allow access
to DNSDusty from the SSL-enabled section (this keeps passwords from being sent
in cleartext). I use the mod-auth-pam and mod-auth-sys-group modules to
authenticate users with system level authentication on my setup.

Here is the relevant stanza from an example apache config. This should be
inside a VirtualHost section for the SSL-enabled section of the site.

ScriptAlias /dnsdusty/cgi-bin/ /usr/lib/dnsdusty/cgi-bin/
<Directory "/usr/lib/dnsdusty/cgi-bin/">
    SSLOptions +StdEnvVars
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from 10.10.10.0
    Deny from All
    AuthPAM_Enabled on
    AuthGROUP_Enabled on
    AuthType Basic
    AuthName "DNSDusty"
    require group dnsadmins
</Directory>

The per-zone authorization depends on having a valid $REMOTE_USER environment
variable, so if you plan to use this feature, then HTTP Authentication is
required.

Problems, Questions and Patches:

If you have problems, questions, suggestions or patches, feel free to report
these issues or (preferably) create pull requests on GitHub.

Enjoy!