dudders: Dynamically Updating DNS Duly Embracing RSA SIG(0)

For those of us with dynamic IP addresses at home (assigned via IPCP/PPP/ADSL) it’s nice to have a stable host name for remote access. My previous solution was to use dyndns, which uses an HTTP-based protocol to update a subdomain of one of dyndns’s domains. However, I preferred to use my own domain.

As I try to use cool crypto wherever possible, the public-key based SIG(0) from RFC2931 seemed like a nifty protocol to use. The usual tool for generating keys is dnssec-keygen, and for performing updates it’s nsupdate, both part of ISC’s BIND. I set this up and tested it from my MacBook Pro, where it worked fine.

However, since a WRT54GL router running OpenWRT controls my PPP connection, and thus knows when my IP address changes, the logical place to be running nsupdate was on this router. Unfortunately OpenWRT’s nsupdate (packaged as bind-client) is relatively large at 439186 octects; add to this libopenssl and bind-libs, and I’d run out of room on my JFFS2 partition. If you have the room, it’ll work for TSIGs: Ignace Mouzannar describes how to do it. However, even when I got it installed, I couldn’t make it sign a SIG(0) request. Chip Rosenthal has also noticed problems, and came up with an HTTP-based solution to get another host to run nsupdate, called web-nsupdate.

My solution? Write my own client in C, that can read the “dnssec-keygen“ key files. Presenting dudders: my lightweight DNS UPDATE client. It even comes as an OpenWRT ipkg. It still needs a crypto library, but it can use libgcrypt which (even after dependencies) still weighs in lighter than libopenssl.

Leave a Reply

Your email address will not be published. Required fields are marked *