October « 2009 « Matt’s Blog

Matt’s Blog Just another weblog


Ubuntu 8.04 LTS Dynamic DNS with nsupdate

VMs are a perfect framework for exploring and testing new technologies. A recent technology I have been interested in is Hadoop and I wanted to experiment with it in a clustered configuration. Since I have limited hard resources available to construct a cluster, I decided that my nodes will be part of a VM deployment.

To reduce deploy problems, it is preferred that all the nodes in a cluster are as homogeneous as possible. To assist in this effort, I have been working a VM clone script based on the information described here. One of my requirements in deploying identical systems is that cloned VMs should contain a proper DNS entry. After researching this topic, I came to the realization that nsupdate is the right tool. nsupdate is a maintenance utility to perform DNS zone updates.

My next task was to configure my Ubuntu 8.04 DNS bind server to allow for the ability to perform remote dynamic DNS updates (DDNS). The process of configuring nsupdate is pretty straight forward and requires the following modifications to your zone:

zone "my.zone" {
    type master;
    notify no;
    file "/etc/bind/my.zone.zone";
    allow-update {;; };
    journal "/var/lib/bind/my.zone.jnl";

The two new entries I had to add were the "allow-update" tag and "journal" tag. I decided that my initial DDNS deployment would use IP-based authorization since my private network security requirements are not as stringent. However, I believe the correct approach would be to deploy authorization keys as described by this article.

The second element I had to add was the "journal" tag. This was because Ubuntu deploys apparmor which has a configuration for named. The configuration specifies the privileges the named process has on the system. Without the "journal" tag, named was attempting to write the journal file to /etc/bind which the apparmor configuration strictly prohibited. My syslogd would contain the below entry describing this error:

updating zone 'my.zone/IN': error: journal open failed: unexpected error

The apparmor configuration file for named (/etc/apparmor.d/usr.sbin.named), indicates that journal files typically live in /var/lib/bind and it explicitly allows the named process to write to this directory. With the above two changes, I am now able to perform dynamic DNS updates from my cloned VMs:

> server
> zone my.zone
> update delete foobar.my.zone. A
> update add foobar.my.zone. 86400 A
> show
> send

Also, see here for secure dynamic DDNS tutorial.

If you insist upon hand-editing the file, make sure to first suspend updates to the zone with rndc freeze $ZONE. After editing is finished, you have verified your edits with named-checkzone, and you have incremented the SOA serial number, resume dynamic updates by running rndc thaw $ZONE.

Filed under: Guide 1 Comment