1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
// This is an example configuration file for D2, Kea's DHCP-DDNS processor.
// It uses the GSS-TSIG hook library.
{
"DhcpDdns": {
// The following parameters are used to receive NCRs (NameChangeRequests)
// from the local Kea DHCP server. Make sure your kea-dhcp4 and kea-dhcp6
// matches this.
"ip-address": "127.0.0.1",
"port": 53001,
"dns-server-timeout" : 1000,
// Forward zone: secure.example.org. It uses GSS-TSIG. It is served
// by two DNS servers, which listen for DDNS requests at 192.0.2.1
// and 192.0.2.2.
"forward-ddns":
{
"ddns-domains":
[
// DdnsDomain for zone "secure.example.org."
{
"name": "secure.example.org.",
"comment": "DdnsDomain example",
"dns-servers":
[
{ // This server has an entry in gss/servers and
// thus will use GSS-TSIG.
"ip-address": "192.0.2.1"
},
{ // This server also has an entry there, so will
// use GSS-TSIG, too.
"ip-address": "192.0.2.2",
"port": 5300
}
]
}
]
},
// Reverse zone: we want to update the reverse zone "2.0.192.in-addr.arpa".
"reverse-ddns":
{
"ddns-domains":
[
{
"name": "2.0.192.in-addr.arpa.",
"dns-servers":
[
{
// There is GSS-TSIG definition for this server (see
// DhcpDdns/gss-tsig/servers), so it will use
// Krb/GSS-TSIG.
"ip-address": "192.0.2.1"
}
]
}
]
},
// The GSS-TSIG hook is loaded and its configuration is specified here.
"hooks-libraries": [
{
"library": "/opt/lib/libddns_gss_tsig.so",
"parameters": {
// This section governs the GSS-TSIG integration. Each server
// mentioned in forward-ddns and/or reverse-ddns needs to have
// an entry here to be able to use GSS-TSIG defaults (optional,
// if specified they apply to all the GSS-TSIG servers, unless
// overwritten on specific server level).
"server-principal": "DNS/server.example.org@EXAMPLE.ORG",
"client-principal": "DHCP/admin.example.org@EXAMPLE.ORG",
// client-keytab and credentials-cache can both be used to
// store client keys. As credentials cache is more flexible,
// it is recommended to use it. Typically, using both at the
// same time may cause problems.
//
// "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only
"credentials-cache": "FILE:/etc/ccache", // toplevel only
"gss-replay-flag": true, // GSS anti replay service
"gss-sequence-flag": false, // no GSS sequence service
"tkey-lifetime": 3600, // 1 hour
"rekey-interval": 2700, // 45 minutes
"retry-interval": 120, // 2 minutes
"tkey-protocol": "TCP",
"fallback": false,
// The list of GSS-TSIG capable servers
"servers": [
{
// First server (identification is required)
"id": "server1",
"domain-names": [ ], // if not specified or empty, will
// match all domains that want to
// use this IP+port pair
"ip-address": "192.0.2.1",
"port": 53,
"server-principal": "DNS/server1.example.org@EXAMPLE.ORG",
"client-principal": "DHCP/admin1.example.org@EXAMPLE.ORG",
"gss-replay-flag": false, // no GSS anti replay service
"gss-sequence-flag": false, // no GSS sequence service
"tkey-lifetime": 7200, // 2 hours
"rekey-interval": 5400, // 90 minutes
"retry-interval": 240, // 4 minutes
"tkey-protocol": "TCP",
"fallback": true // if no key is available fallback to the
// standard behavior (vs skip this server)
},
{
// The second server (it has most of the parameters missing
// as those are using the defaults specified above)
"id": "server2",
"ip-address": "192.0.2.2",
"port": 5300
}
]
}
}
]
// Additional parameters, such as logging, control socket and
// others omitted for clarity.
}
}
|
