diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 11:36:04 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 11:36:04 +0000 |
| commit | 040eee1aa49b49df4698d83a05af57c220127fd1 (patch) | |
| tree | f635435954e6ccde5eee9893889e24f30ca68346 /doc/examples/ddns | |
| parent | Initial commit. (diff) | |
| download | isc-kea-upstream.tar.xz isc-kea-upstream.zip | |
Adding upstream version 2.2.0.upstream/2.2.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/examples/ddns')
| -rw-r--r-- | doc/examples/ddns/all-keys-netconf.json | 183 | ||||
| -rw-r--r-- | doc/examples/ddns/all-keys.json | 183 | ||||
| -rw-r--r-- | doc/examples/ddns/comments.json | 64 | ||||
| -rw-r--r-- | doc/examples/ddns/gss-tsig.json | 126 | ||||
| -rw-r--r-- | doc/examples/ddns/sample1.json | 185 | ||||
| -rw-r--r-- | doc/examples/ddns/template.json | 125 |
6 files changed, 866 insertions, 0 deletions
diff --git a/doc/examples/ddns/all-keys-netconf.json b/doc/examples/ddns/all-keys-netconf.json new file mode 100644 index 0000000..27299a8 --- /dev/null +++ b/doc/examples/ddns/all-keys-netconf.json @@ -0,0 +1,183 @@ +// WARNING: This example configuration is not meant for production use. +// The Kea Kea's DHCP-DDNS server can refuse this configuration because +// it may contain mutually exclusive configuration parameters. +// +// The primary purpose of the example file is to provide a comprehensive +// list of parameters supported by Kea DHCP-DDNS server along with the +// brief description of each parameter. +// +// This stable version is used for YANG as we do not want to update code +// and models each time a keyword is added to the syntax. +{ + // Kea DHCP-DDNS server configuration begins here. + "DhcpDdns": { + + // Global Parameters + + // IP address D2 will listen for update requests at. + // Default is 127.0.0.1 + "ip-address": "127.0.0.1", + + // Port D2 will listen for update requests on. + // Default is 53001. + "port": 53001, + + // Maximum time to we will wait for a DNS server to respond to us. + // Unit is the millisecond, default is 100ms. + "dns-server-timeout" : 100, + + // Protocol to use for Name Change Requests from a Kea DHCP server. + // Currently only 'UDP' is supported. + "ncr-protocol": "UDP", + + // Format to use for Name Change Requests from a Kea DHCP server. + // Currently only 'JSON' is supported. + "ncr-format": "JSON", + + // Command control socket configuration parameters for Kea DHCP-DDNS server. + "control-socket": { + + // Location of the unix domain socket file the DHCP-DDNS server uses + // to receive control commands from the Kea Control Agent or the + // local server administrator. + "socket-name": "/tmp/kea-ddns-ctrl-socket", + + // Control socket type used by the Kea DHCP-DDNS server. + // The 'unix' socket is currently the only supported type. + "socket-type": "unix" + }, + + // List of hooks libraries and their specific configuration parameters + // to be loaded by Kea DHCP-DDNS server. + "hooks-libraries": [ + { + // Location of the hooks library to be loaded. + "library": "/opt/local/ddns-server-commands.so", + + // Hook library specific configuration parameters. + "parameters": { } + } + ], + + // Forward DDNS (Dynamic DNS). + "forward-ddns": { + + // List of DDNS domains. + "ddns-domains": [ + { + // Name of the zone (required). + "name": "example.com.", + + // Name of the TSIG key used to protect DNS updates for + // names in the domain. + "key-name": "d2.md5.key", + + // List of DNS servers where to send DNS updates. + "dns-servers": [ + { + // DNS server IP address (required). + "ip-address": "2001:db8:1::10", + + // DNS server UDP port. Default is 53 (DNS service). + "port": 7802, + + // Name of the TSIG key used to protect DNS updates + // sent to the DNS server. + "key-name": "d2.sha1.key" + } + ] + } + ] + }, + + // Reverse DDNS (Dynamic DNS). + "reverse-ddns": { + + // List of DDNS domains. + "ddns-domains": [ + { + // Name of the zone (required). + "name": "2.0.192.in-addr.arpa.", + + // Name of the TSIG key used to protect DNS updates for + // names in the domain. + "key-name": "d2.sha1.key", + + // List of DNS servers where to send DNS updates. + "dns-servers": [ + { + // DNS server IP address (required). + "ip-address": "172.16.1.1", + + // DNS server UDP port. Default is 53 (DNS service). + "port": 5301, + + // Name of the TSIG key used to protect DNS updates + "key-name": "d2.md5.key" + } + ] + } + ] + }, + + // List of TSIG keys used to protect DNS updates. + "tsig-keys": [ + { + // Name of the TSIG key (required). + "name": "d2.md5.key", + + // Algorithm of the TSIG key (required). + // The value must be a valid algorithm name e.g. + // HMAC-MD5, HMAC-SHA1, HMAC-SHA224, ... + "algorithm": "HMAC-MD5", + + // Number of bits in the digest. Default is 0 which means + // to use all bits provided by the algorithm. Too short values + // (depending on the algorithm) are rejected. + "digest-bits": 0, + + // Secret of the TSIG key (required) in base-64. + "secret": "LSWXnfkKZjdPJI5QxlpnfQ==" + } + ], + + // List of loggers used by the servers using this configuration file. + "loggers": [ + { + // Debug level, a value between 0..99. The greater the value + // the more detailed debug log. + "debuglevel": 99, + + // Name of the logger. + "name": "kea-dhcp-ddns", + + // Configures how the log should be output. + "output_options": [ + { + // Determines whether the log should flushed to a file. + "flush": true, + + // Specifies maximum filesize before the file is being rotated. + "maxsize": 10240000, + + // Specifies the maximum number of rotated files being kept. + "maxver": 1, + + // Specifies logging destination. + "output": "stdout", + + // Specifies log entry content + "pattern": "%D{%Y-%m-%d %H:%M:%S.%q} %-5p [%c/%i] %m\n" + } + ], + + // Specifies logging severity, i.e. "ERROR", "WARN", "INFO", "DEBUG". + "severity": "INFO" + } + ], + + // Look at sample1 example for the use of user-contexts. + "user-context": { } +} + +} diff --git a/doc/examples/ddns/all-keys.json b/doc/examples/ddns/all-keys.json new file mode 100644 index 0000000..7de1703 --- /dev/null +++ b/doc/examples/ddns/all-keys.json @@ -0,0 +1,183 @@ +// WARNING: This example configuration is not meant for production use. +// The Kea Kea's DHCP-DDNS server can refuse this configuration because +// it may contain mutually exclusive configuration parameters. +// +// The primary purpose of the example file is to provide a comprehensive +// list of parameters supported by Kea DHCP-DDNS server along with the +// brief description of each parameter. +// +// This current version should be up to date, i.e. new keywords should be +// added in this file at the same time than in the syntax. +{ + // Kea DHCP-DDNS server configuration begins here. + "DhcpDdns": { + + // Global Parameters + + // IP address D2 will listen for update requests at. + // Default is 127.0.0.1 + "ip-address": "127.0.0.1", + + // Port D2 will listen for update requests on. + // Default is 53001. + "port": 53001, + + // Maximum time to we will wait for a DNS server to respond to us. + // Unit is the millisecond, default is 100ms. + "dns-server-timeout" : 100, + + // Protocol to use for Name Change Requests from a Kea DHCP server. + // Currently only 'UDP' is supported. + "ncr-protocol": "UDP", + + // Format to use for Name Change Requests from a Kea DHCP server. + // Currently only 'JSON' is supported. + "ncr-format": "JSON", + + // Command control socket configuration parameters for Kea DHCP-DDNS server. + "control-socket": { + + // Location of the unix domain socket file the DHCP-DDNS server uses + // to receive control commands from the Kea Control Agent or the + // local server administrator. + "socket-name": "/tmp/kea-ddns-ctrl-socket", + + // Control socket type used by the Kea DHCP-DDNS server. + // The 'unix' socket is currently the only supported type. + "socket-type": "unix" + }, + + // List of hooks libraries and their specific configuration parameters + // to be loaded by Kea DHCP-DDNS server. + "hooks-libraries": [ + { + // Location of the hooks library to be loaded. + "library": "/opt/local/ddns-server-commands.so", + + // Hook library specific configuration parameters. + "parameters": { } + } + ], + + // Forward DDNS (Dynamic DNS). + "forward-ddns": { + + // List of DDNS domains. + "ddns-domains": [ + { + // Name of the zone (required). + "name": "example.com.", + + // Name of the TSIG key used to protect DNS updates for + // names in the domain. + "key-name": "d2.md5.key", + + // List of DNS servers where to send DNS updates. + "dns-servers": [ + { + // DNS server IP address (required). + "ip-address": "2001:db8:1::10", + + // DNS server UDP port. Default is 53 (DNS service). + "port": 7802, + + // Name of the TSIG key used to protect DNS updates + // sent to the DNS server. + "key-name": "d2.sha1.key" + } + ] + } + ] + }, + + // Reverse DDNS (Dynamic DNS). + "reverse-ddns": { + + // List of DDNS domains. + "ddns-domains": [ + { + // Name of the zone (required). + "name": "2.0.192.in-addr.arpa.", + + // Name of the TSIG key used to protect DNS updates for + // names in the domain. + "key-name": "d2.sha1.key", + + // List of DNS servers where to send DNS updates. + "dns-servers": [ + { + // DNS server IP address (required). + "ip-address": "172.16.1.1", + + // DNS server UDP port. Default is 53 (DNS service). + "port": 5301, + + // Name of the TSIG key used to protect DNS updates + "key-name": "d2.md5.key" + } + ] + } + ] + }, + + // List of TSIG keys used to protect DNS updates. + "tsig-keys": [ + { + // Name of the TSIG key (required). + "name": "d2.md5.key", + + // Algorithm of the TSIG key (required). + // The value must be a valid algorithm name e.g. + // HMAC-MD5, HMAC-SHA1, HMAC-SHA224, ... + "algorithm": "HMAC-MD5", + + // Number of bits in the digest. Default is 0 which means + // to use all bits provided by the algorithm. Too short values + // (depending on the algorithm) are rejected. + "digest-bits": 0, + + // Secret of the TSIG key (required) in base-64. + "secret": "LSWXnfkKZjdPJI5QxlpnfQ==" + } + ], + + // List of loggers used by the servers using this configuration file. + "loggers": [ + { + // Debug level, a value between 0..99. The greater the value + // the more detailed debug log. + "debuglevel": 99, + + // Name of the logger. + "name": "kea-dhcp-ddns", + + // Configures how the log should be output. + "output_options": [ + { + // Determines whether the log should flushed to a file. + "flush": true, + + // Specifies maximum filesize before the file is being rotated. + "maxsize": 10240000, + + // Specifies the maximum number of rotated files being kept. + "maxver": 1, + + // Specifies logging destination. + "output": "stdout", + + // Specifies log entry content + "pattern": "%D{%Y-%m-%d %H:%M:%S.%q} %-5p [%c/%i] %m\n" + } + ], + + // Specifies logging severity, i.e. "ERROR", "WARN", "INFO", "DEBUG". + "severity": "INFO" + } + ], + + // Look at sample1 example for the use of user-contexts. + "user-context": { } +} + +} diff --git a/doc/examples/ddns/comments.json b/doc/examples/ddns/comments.json new file mode 100644 index 0000000..a7717d1 --- /dev/null +++ b/doc/examples/ddns/comments.json @@ -0,0 +1,64 @@ +// This is an example configuration file for D2, Kea's DHCP-DDNS processor. +// It uses embedded comments which will be included in configuration objects +// within user-contexts rather than stripped away by at lexical analysis. + +{ +"DhcpDdns": +{ + + // Global scope + "comment": "A DHCP-DDNS server", + "ip-address": "127.0.0.1", + "port": 53001, + "dns-server-timeout" : 1000, + + "control-socket": + { + "comment": "Control channel", + "socket-type": "unix", + "socket-name": "/tmp/kea-ddns-ctrl-socket" + }, + + "forward-ddns": + { + "ddns-domains": + [ + // In DDNS domain + { + "comment": "DdnsDomain for zone 'four.example.com.'", + "name": "four.example.com.", + "key-name": "d2.md5.key", + // In DNS server + "dns-servers": + [ + { + "comment": "four.example.com. server", + "ip-address": "172.16.1.1" + } + ] + } + ] + }, + + // In TSIG key + "tsig-keys": + [ + { + "comment": "four.example.com. key", + "name": "d2.md5.key", + "algorithm": "HMAC-MD5", + "secret": "LSWXnfkKZjdPJI5QxlpnfQ==" + } + ], + + // In loggers + "loggers": [ + { + "comment": "A logger", + "name": "kea-dhcp-ddns", + "severity": "info" + } + ] +} + +} diff --git a/doc/examples/ddns/gss-tsig.json b/doc/examples/ddns/gss-tsig.json new file mode 100644 index 0000000..aa71495 --- /dev/null +++ b/doc/examples/ddns/gss-tsig.json @@ -0,0 +1,126 @@ +// This is an example configuration file for D2, Kea's DHCP-DDNS processor. +// It uses the GSS-TSIG hook library. +{ +"DhcpDdns": { + // The following parameters are used to receive NCRs (NameChangeRequests) + // from the local Kea DHCP server. Make sure your kea-dhcp4 and kea-dhcp6 + // matches this. + "ip-address": "127.0.0.1", + "port": 53001, + "dns-server-timeout" : 1000, + + // Forward zone: secure.example.org. It uses GSS-TSIG. It is served + // by two DNS servers, which listen for DDNS requests at 192.0.2.1 + // and 192.0.2.2. + "forward-ddns": + { + "ddns-domains": + [ + // DdnsDomain for zone "secure.example.org." + { + "name": "secure.example.org.", + "comment": "DdnsDomain example", + "dns-servers": + [ + { // This server has an entry in gss/servers and + // thus will use GSS-TSIG. + "ip-address": "192.0.2.1" + }, + { // This server also has an entry there, so will + // use GSS-TSIG, too. + "ip-address": "192.0.2.2", + "port": 5300 + } + ] + } + ] + }, + + // Reverse zone: we want to update the reverse zone "2.0.192.in-addr.arpa". + "reverse-ddns": + { + "ddns-domains": + [ + { + "name": "2.0.192.in-addr.arpa.", + "dns-servers": + [ + { + // There is GSS-TSIG definition for this server (see + // DhcpDdns/gss-tsig/servers), so it will use + // Krb/GSS-TSIG. + "ip-address": "192.0.2.1" + } + ] + } + ] + }, + + // The GSS-TSIG hook is loaded and its configuration is specified here. + "hooks-libraries": [ + { + "library": "/opt/lib/libddns_gss_tsig.so", + "parameters": { + // This section governs the GSS-TSIG integration. Each server + // mentioned in forward-ddns and/or reverse-ddns needs to have + // an entry here to be able to use GSS-TSIG defaults (optional, + // if specified they apply to all the GSS-TSIG servers, unless + // overwritten on specific server level). + + "server-principal": "DNS/server.example.org@EXAMPLE.ORG", + "client-principal": "DHCP/admin.example.org@EXAMPLE.ORG", + + // client-keytab and credentials-cache can both be used to + // store client keys. As credentials cache is more flexible, + // it is recommended to use it. Typically, using both at the + // same time may cause problems. + // + // "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only + "credentials-cache": "FILE:/etc/ccache", // toplevel only + + "gss-replay-flag": true, // GSS anti replay service + "gss-sequence-flag": false, // no GSS sequence service + "tkey-lifetime": 3600, // 1 hour + "rekey-interval": 2700, // 45 minutes + "retry-interval": 120, // 2 minutes + "tkey-protocol": "TCP", + "fallback": false, + + // The list of GSS-TSIG capable servers + "servers": [ + { + // First server (identification is required) + "id": "server1", + "domain-names": [ ], // if not specified or empty, will + // match all domains that want to + // use this IP+port pair + "ip-address": "192.0.2.1", + "port": 53, + "server-principal": "DNS/server1.example.org@EXAMPLE.ORG", + "client-principal": "DHCP/admin1.example.org@EXAMPLE.ORG", + "gss-replay-flag": false, // no GSS anti replay service + "gss-sequence-flag": false, // no GSS sequence service + "tkey-lifetime": 7200, // 2 hours + "rekey-interval": 5400, // 90 minutes + "retry-interval": 240, // 4 minutes + "tkey-protocol": "TCP", + "fallback": true // if no key is available fallback to the + // standard behavior (vs skip this server) + }, + { + // The second server (it has most of the parameters missing + // as those are using the defaults specified above) + "id": "server2", + "ip-address": "192.0.2.2", + "port": 5300 + } + ] + } + } + ] + + // Additional parameters, such as logging, control socket and + // others omitted for clarity. +} + +} diff --git a/doc/examples/ddns/sample1.json b/doc/examples/ddns/sample1.json new file mode 100644 index 0000000..382c4a9 --- /dev/null +++ b/doc/examples/ddns/sample1.json @@ -0,0 +1,185 @@ +// This is an example configuration file for D2, Kea's DHCP-DDNS processor. +// It supports updating two Forward DNS zones "four.example.com" and +// "six.example.com"; and one Reverse DNS zone, "2.0.192.in-addr.arpa." + +{ +// ------------------ DHCP-DDNS --------------------- +// +"DhcpDdns": +{ + +// -------------- Global Parameters ---------------- +// +// D2 will listen for update requests for Kea DHCP servers at 127.0.0.1 +// on port 53001. Maximum time to we will wait for a DNS server to +// respond to us is 1000 ms. + + "ip-address": "127.0.0.1", + "port": 53001, + "dns-server-timeout" : 1000, + +// One extra feature that requires some explanation is +// user-context. This is a structure that you can define at global scope, +// in ddns domain, dns server, tsig key and others. It is parsed by +// Kea, but not used directly. It is intended to keep anything you +// may want to put there - comments, extra designations, floor or +// department names etc. +// A comment entry is translated into a user-context with a "comment" +// property so you can include comments inside the configuration itself. + + "user-context": { "version": 1 }, + +// +// ----------------- Control Socket ----------------- +// + + "control-socket": + { + "socket-type": "unix", + "socket-name": "/tmp/kea-ddns-ctrl-socket" + }, + +// +// ----------------- Hooks Libraries ----------------- +// + + "hooks-libraries": + [ + // Hook libraries list may contain more than one library. + { + // The only necessary parameter is the library filename. + "library": "/opt/local/ddns-server-commands.so", + + // Some libraries may support parameters. Make sure you + // type this section carefully, as the CA does not validate + // it (because the format is library specific). + "parameters": + { + "param1": "foo" + } + } + ], + +// +// ----------------- Forward DDNS ------------------ +// +// 1. Zone - "four.example.com. +// It uses TSIG, key name is "d2.md5.key" +// It is served by one DNS server which listens for DDNS requests at +// 172.16.1.1 on the default port 53 (standard DNS port) +// +// 2. Zone - "six.example.com." +// It does not use TSIG. +// It is server by one DNS server at "2001:db8:1::10" on port 7802 + + "forward-ddns": + { + "ddns-domains": + [ +// DdnsDomain for zone "four.example.com." + { + "comment": "DdnsDomain example", + "name": "four.example.com.", + "key-name": "d2.md5.key", + "dns-servers": + [ + { + "ip-address": "172.16.1.1" + } + ] + }, + +// DdnsDomain for zone "six.example.com." + { + "name": "six.example.com.", + "dns-servers": + [ + { + "ip-address": "2001:db8:1::10", + "port": 7802 + } + ] + } + ] + }, + +// ----------------- Reverse DDNS ------------------ +// +// We will update Reverse DNS for one zone "2.0.192.in-addr-arpa". It +// uses TSIG with key "d2.sha1.key" and is served by two DNS servers: +// one listening at "172.16.1.1" on 53001 and the other at "192.168.2.10". +// + "reverse-ddns": + { + "ddns-domains": + [ + { + "name": "2.0.192.in-addr.arpa.", + "key-name": "d2.sha1.key", + "dns-servers": + [ + { + "ip-address": "172.16.1.1", + "port": 53001 + }, + { + "ip-address": "192.168.2.10" + } + ] + } + ] + }, + +// ------------------ TSIG keys --------------------- +// +// Each key has a name, an algorithm (HMAC-MD5, HMAC-SHA1, HMAC-SHA224...) +// and a base-64 encoded shared secret. +// + "tsig-keys": + [ + { + "name": "d2.md5.key", + "algorithm": "HMAC-MD5", + "secret": "LSWXnfkKZjdPJI5QxlpnfQ==" + }, + { + "name": "d2.sha1.key", + "algorithm": "HMAC-SHA1", + "secret": "hRrp29wzUv3uzSNRLlY68w==" + }, + { + "name": "d2.sha512.key", + "algorithm": "HMAC-SHA512", + "digest-bits": 256, + "secret": "/4wklkm04jeH4anx2MKGJLcya+ZLHldL5d6mK+4q6UXQP7KJ9mS2QG29hh0SJR4LA0ikxNJTUMvir42gLx6fGQ==" + } + ], + +// The following configures logging. It assumes that messages with at least +// informational level (info, warn, error and fatal) should be logged to stdout. +// It also specifies a custom log pattern. + "loggers": [ + { + "name": "kea-dhcp-ddns", + "output_options": [ + { + "output": "stdout", + // Several additional parameters are possible in addition + // to the typical output. Flush determines whether logger + // flushes output to a file. Maxsize determines maximum + // filesize before the file is being rotated. maxver + // specifies the maximum number of rotated files being + // kept. + "flush": true, + "maxsize": 204800, + "maxver": 4, + "pattern": "%d [%c/%i] %m\n" + } + ], + "debuglevel": 0, + "severity": "INFO" + } + ] +} + +} diff --git a/doc/examples/ddns/template.json b/doc/examples/ddns/template.json new file mode 100644 index 0000000..601e5cf --- /dev/null +++ b/doc/examples/ddns/template.json @@ -0,0 +1,125 @@ +// This file may be used a template for constructing DHCP-DDNS JSON +// configuration. +// +// It must start with a left-curly-bracket. +{ + +"DhcpDdns" : +{ +// +// -------------- Global Parameters ---------------- +// +// All of the global parameters have default values as shown. If these +// are satisfactory you may omit them. +// +// "ip-address" : "127.0.0.1", +// "port" : 53001, +// "dns-server-timeout" : 100, +// "ncr-protocol" : "UDP" +// "ncr-format" : "JSON" + +// +// ----------------- Control Socket ----------------- +// + +// "control-socket": +// { +// "socket-type": "unix", +// "socket-name": "/tmp/kea-ddns-ctrl-socket" +// }, + +// +// ----------------- Forward DDNS ------------------ +// + "forward-ddns" : + { + "ddns-domains" : + [ +// { +// "name" : "<zone name 1>", +// "key-name" : "<key name>", +// "dns-servers" : +// [ +// { +// "ip-address" : "<ip address>" +// ,"port" : 53 +// } +// , +// { +// next DNS server for this DdnsDomain +// } +// : +// ] +// } +// , +// { +// next Forward DdnsDomain +// } +// : + ] + }, + +// +// ----------------- Reverse DDNS ------------------ +// + "reverse-ddns" : + { + "ddns-domains" : + [ +// { +// "name" : "<reverse zone name 1>", +// "key-name" : "<key name>", +// "dns-servers" : +// [ +// { +// "ip-address" : "<ip address>" +// ,"port" : 53 +// } +// , +// { +// next DNS server for this DdnsDomain +// } +// : +// ] +// } +// , +// { +// next Reverse DdnsDomain +// } +// : + ] + }, +// +// ------------------ TSIG keys --------------------- +// + "tsig-keys" : + [ +// { +// "name" : "<key name>", +// "algorithm" : "<algorithm name>", +// Valid values for algorithm are: HMAC-MD5, HMAC-SHA1, +// HMAC-SHA224, HMAC-SHA256, +// HMAC-SHA384, HMAC-SHA512 +// "digest-bits" : 256, +// Minimum truncated length in bits. +// Default 0 (means truncation is forbidden). +// "secret" : "<shared secret value>" +// } +// , +// { +// next TSIG Key +// } + ] + +// Logging +// ,"loggers": +// [ +// { +// "name": "kea-dhcp-ddns", +// "severity": "info" +// } +// ] +} + +// It must end with an right-curly-bracket. +} |