On Mar 26, 2004, at 04:13, Gordon Fecyk wrote:
Patrik suggested "10 lines of sh" can put a public key into a DNS KEY
record.
That's pretty powerful stuff from what was originally a batch file
language.
What stops a particular DNS implementation from inserting data into a
RMX-type record or database, or "synthesizing" a response to a
RMX-type query
based on data stored in another format somewhere, populated by dynamic
DNS
registrations elsewhere?[1]
By the use of public-key cryptography.
See http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
The main part of the script I run as soon as I get a new IP address
looks like this, and is a call to dnsupdate:
ADDR=$1
KEYFILE=/usr/local/named/default/Kzx81.paf.se.+001+46883.private
/usr/local/bin/nsupdate -d -v -k $KEYFILE 2>&1 << EOF | grep -v '^>' |
tail -1 > /tmp/
ddnsresult
server sjc.paf.se
zone paf.se
update delete zx81.paf.se A
update add zx81.paf.se 10 A $ADDR
send
quit
EOF
The content of /usr/local/named/default/Kzx81.paf.se.+001+46883.private
was created via use of openssl, and the public key is added to the DNS
as a KEY record.
This is *not* rocket science.
paf