DIY RFC2136 dyndns with bind

ever since dyndns stopped to be completely free (including hassle-free) i was looking for alternatives. i recently stumbled across RFC2136 which can be used to provide dynamic dns services. since i have access to two nameservers running bind i decided to try it out.. it works pretty nicely :)

there is a howto in the pfsense wiki, however, that did not work for me. i had to use allow-update reather than update-policy.. don't know why, somehow it just seemed to have been ignored by the version of bind9 i am running on the servers. I've used in general the setup described in this very detailed webpage about dyndns with bind9.

this following howto will explain how i did my setup so that i could have a little bash script that would allow me to add new hosts to my dyndns with a single command. all my hosts will end with

i can run

/etc/bind/dyn/ myhost

and it will add a new host called to the configuration and return an authorization key which i can use on the client side.

so here is how i did it:

first of all i wanted to be able to have a simple script that would allow me to add new hosts with a minimum amount of work. so i split my config into different files, so i could later edit them automatically. also, you want to make sure the file where the keys are stored is not world readable..

  • create a directory that holds all the dynamic dns stuff:
    mkdir /etc/bind/dyn
    cd /etc/bind/dyn
  • create a basic zonefile for the dynamic dns zone. Important, you should use a dedicated subdomain with its own zone file for the dyndns stuff, as the zone file will be rewritten by bind later on and after that it is an absolute mess. so make sure you don't do this with your main zone file for your main domain! save the file as in your dyn directory. here are the contents:
    $ORIGIN .
    $TTL 30	; 30 seconds		IN SOA (
    				2013102704 ; serial
    				900        ; refresh (15 minutes)
    				600        ; retry (10 minutes)
    				604800     ; expire (1 Week)
    				30         ; minimum (30 seconds)
  • create an empty keys.conf file
    touch keys.conf
  • create a file named.conf with the following contents
    include "/etc/bind/dyn/keys.conf";
    zone "" {
    	type master; 
    	file "/etc/bind/dyn/"; 
    	allow-update { 
    	allow-query { 

    note keep the add_keys_here comment exactly as it is, this is the marker for our script so it knows where to add new keys

  • edit your main named.conf file, usually in /etc/bind/named.conf and add an include line at the end of your zone definitions like so:
    include "/etc/bind/dyn/named.conf";
  • create the “” script that will add new hosts to our setup. here are the contents of the script:
    if [ -z "$1" -o "$1" == " " ]; then
            echo "usage: <hostname>"
            echo "EXAMPLE: myhost will add"
            exit 1
    cd /etc/bind/dyn/
    mkdir tmp
    cd tmp
    echo "generating key for ${hostname}"
    keyfile=`dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ${hostname}`
    key=`grep "Key" ${keyfile}.private | awk '{ print $2; }'`
    echo "here is the key i have generated, use this to configure your client: $key"
    cd ..
    rm -rf tmp
    echo "adding key to named.conf..."
    cat named.conf | sed -e "s/\/\/add_keys_here\/\//key ${hostname};\n\t\t\/\/add_keys_here\/\//" | tee named.conf > /dev/null
    echo "key ${hostname} { algorithm hmac-md5; secret \"${key}\"; };" >> keys.conf
    echo "done"
    echo "reload bind";
    /etc/init.d/bind9 reload
    echo "currently active hosts:"
    grep "key " named.conf | awk '{ print $2; }' | tr -d ";"
  • now set the permissions so that especially the keys.conf file is only readable by bind and editable by root. also the dyn directory must be writeable by bind or if you don't want that, touch a file called and make it writeable for bind, as well as making the file writeable for bind. here is how i've set the permissions on my server:
    drwxrwxr-- 2 root bind 4096 Oct 29 13:45 ./
    drwxr-sr-x 3 root bind 4096 Oct 29 11:47 ../
    -rwx------ 1 root root  904 Oct 29 13:45*
    -rw-r--r-- 1 bind bind  434 Oct 29 13:20
    -rw-r--r-- 1 bind bind 1230 Oct 29 13:15
    -rw-r----- 1 root bind  356 Oct 29 13:45 keys.conf
    -rw-r--r-- 1 root bind  322 Oct 29 13:45 named.conf
  • now use the script to add your first hostname.
    ./add_new_host myhost

    if you did everything correctly (and if i described it all correctly) your client should now be able to update it's own dns entry with the key you received back from the script.

optionally you can also create a little script to remove hosts just as easily. create a file called with the following contents

if [ -z "$1" -o "$1" == " " ]; then
        echo "usage: <hostname>"
        echo "EXAMPLE: myhost will remove"
        exit 1
cd /etc/bind/dyn/
echo "old keys.conf entry: "
grep ${hostname} keys.conf
echo "remove key for ${hostname}"
cat named.conf | sed -e "/^\t\tkey ${hostname}.*$/d" | tee named.conf > /dev/null
cat keys.conf | sed -e "/^key ${hostname}.*$/d" | tee keys.conf > /dev/null
echo "reload bind";
/etc/init.d/bind9 reload
echo "currently active hosts:"
grep "key " named.conf | awk '{ print $2; }' | tr -d ";"

make it executable and run it to remove hotsts. warning make a backup of your keys.conf and your named.conf file before testing this :)

./ myhost
  • diy_rfc2136_dyndns_with_bind.txt
  • Last modified: 29.10.2013 14:44
  • by Pascal Suter